CVE-2020-26265

Name of the Vulnerable Software and Affected Versions Geth versions 1.9.4 through 1.9.20

Description A consensus issue could cause a chain split, where vulnerable versions refuse to accept the canonical chain. This occurs due to an incorrect state calculation when processing a particular sequence of transactions. The issue arises from a subtle change in the semantics of createObject, which returns a non-nil object with deleted=true when the account has been destructed, causing the new object to inherit the old balance. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Geth versions 1.9.4 through 1.9.20, upgrade to version 1.9.20 or a newer version to resolve the issue. As a temporary workaround, consider restricting the use of the vulnerable createObject function until a patch is available. Avoid using the createObject function with destructed accounts to minimize the risk of exploitation.