CVE-2024-21629

Name of the Vulnerable Software and Affected Versions rust-evm versions prior to 0.41.1

Description The issue is related to the record external operation feature in rust-evm, which allows library users to record custom gas changes. This feature can have bogus interactions with the call stack, particularly during finalization of a CREATE or CREATE2. If the substack execution happens successfully, rust-evm will first commit the substate and then call record external operation(Write(out code.len())). If record external operation later fails, this error is returned to the parent call stack, instead of Succeeded. Yet, the substate commitment already happened, causing smart contracts to commit state changes when the parent caller contract receives zero address, which usually indicates that the execution has failed. This issue only impacts library users with custom record external operation that returns errors.

Recommendations For versions prior to 0.41.1, update to release 0.41.1 to resolve the issue. As a temporary workaround, consider disabling the record external operation feature until a patch is available. Restrict access to the record external operation function to minimize the risk of exploitation. Avoid using the record external operation function in the affected API endpoint until the issue is resolved.