Miggo Logo

CVE-2021-41138: Validity check missing in Frontier

5.3

CVSS Score
3.1

Basic Information

EPSS Score
0.6778%
Published
10/13/2021
Updated
10/24/2024
KEV Status
No
Technology
TechnologyRust

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
pallet-ethereumrust<= 3.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from validation logic being split between transaction pool and block execution contexts. The commit diff shows validate_self_contained was refactored into validate_transaction_in_pool (for pool checks) and validate_transaction_in_block (for execution checks). The original implementation lacked execution-phase validation, as evidenced by the introduction of pre_dispatch_self_contained calling validate_transaction_in_block in the patch. This missing block execution validation is the root cause described in the CVE.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In t** n*wly intro*u*** si*n** *ronti*r-sp**i*i* *xtrinsi* *or `p*ll*t-*t**r*um`, * l*r** p*rt o* tr*ns**tion v*li**tion lo*i* w*s only **ll** in tr*ns**tion pool v*li**tion, *ut not in *lo*k *x**ution. M*li*ious v*li**tors **n t*k* **v*n

Reasoning

T** vuln*r**ility st*mm** *rom v*li**tion lo*i* **in* split **tw**n tr*ns**tion pool *n* *lo*k *x**ution *ont*xts. T** *ommit *i** s*ows v*li**t*_s*l*_*ont*in** w*s r****tor** into v*li**t*_tr*ns**tion_in_pool (*or pool ****ks) *n* v*li**t*_tr*ns**ti