Login Sign Up

CVE-2023-45130

7.5 HIGH

📋 TL;DR

This vulnerability in Frontier (Substrate's Ethereum compatibility layer) allows attackers to craft contracts with excessive storage values and trigger SUICIDE opcodes, causing parachains to stall by exceeding relay chain PoV size limits. It primarily affects parachains using Frontier, with standalone chains facing less severe performance impacts.

💻 Affected Systems

Products:
  • Frontier (Substrate Ethereum compatibility layer)
Versions: All versions prior to commit aea528198b3b226e0d20cce878551fd4c0e3d5d0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Parachains are most severely affected; standalone chains have less severe impact mainly affecting performance.

📦 What is this software?

Frontier by Parity

View all CVEs affecting Frontier →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Parachain stalls completely when PoV size exceeds relay chain limits, blocking all transactions including critical XCM transactions that cannot be skipped.

🟠

Likely Case

Parachain performance degradation and potential stalling when attackers exploit this with large storage contracts.

🟢

If Mitigated

Normal operation with proper patching; standalone chains experience minimal impact even without patching.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Attack requires ability to deploy contracts and execute SUICIDE opcode, but the exploit technique is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit aea528198b3b226e0d20cce878551fd4c0e3d5d0

Vendor Advisory: https://github.com/paritytech/frontier/security/advisories/GHSA-gc88-2gvv-gp3v

Restart Required: Yes

Instructions:

1. Update Frontier to commit aea528198b3b226e0d20cce878551fd4c0e3d5d0 or later. 2. For parachains: Perform emergency runtime upgrade immediately. 3. For standalone chains: Perform normal runtime upgrade as soon as possible.

🔧 Temporary Workarounds

No known workarounds

all

The vendor advisory states there are no known workarounds for this vulnerability.

🧯 If You Can't Patch

  • Monitor for unusual contract deployment patterns with large storage usage
  • Implement rate limiting or additional validation for contract deployment and SUICIDE operations

🔍 How to Verify

Check if Vulnerable:

Check Frontier version/commit hash; if earlier than aea528198b3b226e0d20cce878551fd4c0e3d5d0, the system is vulnerable.

Check Version:

Check Frontier source code or runtime version for commit hash aea528198b3b226e0d20cce878551fd4c0e3d5d0

Verify Fix Applied:

Verify Frontier is running commit aea528198b3b226e0d20cce878551fd4c0e3d5d0 or later and runtime upgrade has been applied.

📡 Detection & Monitoring

Log Indicators:

  • Unusually large storage deletion operations
  • PoV size limit warnings or errors
  • Contract SUICIDE operations on contracts with extensive storage

Network Indicators:

  • Sudden parachain stalling or transaction failures
  • Increased block production times

SIEM Query:

Search for 'SUICIDE opcode execution' combined with 'storage::remove_prefix' or 'storage::clear_prefix' operations in blockchain logs

📊 Metadata

CVE ID: CVE-2023-45130
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
Published: October 13, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-45130, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)