CVE-2023-45130

Name of the Vulnerable Software and Affected Versions Frontier versions prior to commit aea528198b3b226e0d20cce878551fd4c0e3d5d0

Description The issue arises when opcode SUICIDE marks a contract to be deleted, and the software uses storage::remove prefix (now renamed to storage::clear prefix) to remove all storages associated with it. This can be slow for large contracts and may exceed the relay chain's Proof of Validity (PoV) size limit for parachains. An attacker can craft a contract with numerous storage values on a parachain, call opcode SUICIDE, and potentially stall the parachain if the transaction is included in a block. This is particularly problematic for XCM transactions, which cannot be skipped.

Recommendations For parachains, issue an emergency runtime upgrade as soon as possible. For standalone chains, issue a normal runtime upgrade as soon as possible.