CVE-2021-43839
HIGHCronos < 0.6.5 - Transaction Fee Theft via Custom MsgEthereumTx
Title source: llmDescription
Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cw9r
Patch, Third Party Advisory x_refsource_misc
https://github.com/crypto-org-chain/cronos/pull/270
Patch, Third Party Advisory x_refsource_misc
https://github.com/crypto-org-chain/cronos/commit/150ef237b37ac28c8136e1c0f494932860b9ebe8
Scores
CVSS v3
7.5
EPSS
0.0131
EPSS Percentile
66.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-670
Status
published
Products (6)
crypto/cronos
< 0.6.5
crypto/ethermint
< 0.7.3
crypto/evmos
< 0.4.2
crypto-org-chain/cronos
0 - 0.6.5Go
tharsis/ethermint
0.8.0 - 0.10.0Go
tharsis/evmos
0Go
Published
Dec 21, 2021
Tracked Since
Feb 18, 2026