CVE-2022-35936

Name of the Vulnerable Software and Affected Versions Ethermint versions prior to v0.17.2 Ethermint versions prior to v0.18.0 are not affected if they are v0.17.2 or later, but since v0.17.2 is not a fixed version and only v0.18.0 is mentioned as fixed, we consider all versions before v0.18.0 as vulnerable. Cronos versions prior to v0.8.0

Description The issue arises when a contract invokes the selfdestruct function, which permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the DeleteAccount function, all contracts that used the identical bytecode will also stop working once one contract invokes selfdestruct. This can lead to a denial-of-service (DoS) for all contracts that share the same bytecode. No smart contracts were impacted through the use of this vulnerability due to successful coordinated security vulnerability disclosure. Smart contract states and storage values are not affected by this vulnerability.

Recommendations For Ethermint versions prior to v0.17.2, upgrade to version v0.18.0 or later. For Cronos versions prior to v0.8.0, upgrade to version v0.8.0 or later. As a temporary workaround, if a contract is subject to DoS due to this issue, the user can redeploy the same contract with identical bytecode to recover the original contract's code.