Miggo Logo
Miggo Vulnerability Database
CVE-2022-37450

CVE-2022-37450: Go Ethereum allows attackers to use manipulation of time-difference values to achieve replacement of main-chain blocks

5.9

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-37450
GHSA ID
GHSA-rqmg-hrg4-fm69
EPSS Score
0.52851%
CWE
-
Published
8/6/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/ethereum/go-ethereumgo<= 1.10.21

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how fork choice handles timestamp-based difficulty adjustments and tiebreaking. The ReorgNeeded function in forkchoice.go (lines 91-94 referenced in advisories) implements logic where manipulated timestamps could create equal-difficulty scenarios, triggering the vulnerable probabilistic tiebreaker. This matches the described RUM attack vector where timestamp manipulation enables main-chain replacement without risk.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*o *t**r*um (*k* **t*) t*rou** *.**.** *llows *tt**k*rs to in*r**s* r*w*r*s *y minin* *lo*ks in **rt*in situ*tions, *n* usin* * m*nipul*tion o* tim*-*i***r*n** v*lu*s to ***i*v* r*pl***m*nt o* m*in-***in *lo*ks, *k* Riskl*ss Un*l* M*kin* (RUM), *s *x

Reasoning

T** vuln*r**ility st*ms *rom *ow *ork **oi** **n*l*s tim*st*mp-**s** *i**i*ulty **justm*nts *n* ti**r**kin*. T** `R*or*N*****` *un*tion in `*ork**oi**.*o` (lin*s **-** r***r*n*** in **visori*s) impl*m*nts lo*i* w**r* m*nipul*t** tim*st*mps *oul* *r**