CVE-2022-39354

Name of the Vulnerable Software and Affected Versions SputnikVM versions prior to 0.36.0

Description A custom stateful precompile can use the is static parameter to determine if the call is executed in a static context, and thus decide if stateful operations should be done. Prior to version 0.36.0, the passed is static parameter was incorrect -- it was only set to true if the call came from a direct STATICCALL opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually use is static. For those affected, the issue can lead to possible incorrect state transitions.

Recommendations For versions prior to 0.36.0, update to version 0.36.0 to resolve the issue. As a temporary workaround, consider reviewing custom precompiles that use the is static parameter to ensure they handle stateful operations correctly until the update is applied.