Miggo Logo

CVE-2021-39193: Transaction validity oversight in pallet-ethereum

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.52227%
Published
9/1/2021
Updated
10/24/2024
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pallet-ethereumrust<= 3.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing input validation in the transaction validation flow. The key evidence comes from:

  1. The patch in PR #465 adds gasometer checks for transaction costs in validate_unsigned
  2. The CWE-1284 classification indicates improper quantity validation
  3. The vulnerability description specifically mentions missing input data size validation
  4. The commit diff shows the critical validation was added to validate_unsigned
  5. The test case added in the patch verifies transaction rejection based on gas/data cost This function was the entry point for transaction validation and lacked critical checks for transaction viability before inclusion in blocks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *u* in `p*ll*t-*t**r*um` **n **us* inv*li* tr*ns**tions to ** in*lu*** in t** *t**r*um *lo*k st*t* in `p*ll*t-*t**r*um` *u* to not v*li**tin* t** input **t* siz*. *ny inv*li* tr*ns**tions in*lu*** t*is w*y **v* no possi*ility to *lt*r t

Reasoning

T** vuln*r**ility st*ms *rom missin* input v*li**tion in t** tr*ns**tion v*li**tion *low. T** k*y *vi**n** *om*s *rom: *. T** p*t** in PR #*** ***s **som*t*r ****ks *or tr*ns**tion *osts in `v*li**t*_unsi*n**` *. T** *W*-**** *l*ssi*i**tion in*i**t*s