CVE-2021-41153

The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this.

The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this.

### Impact In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. ### Patches This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this. ### Workarounds If you are dependent on an older version of `evm` and cannot update due to API interface changes, please contact Wei by email (wei@that.world), who will be happy to help you to publish patch releases for older `evm` versions. ### References Fix PR: https://github.com/rust-blockchain/evm/pull/67 ### For more information If you have any questions or comments about this advisory: * Open an issue in the `evm` repo. ### Special thanks Special thanks to @rakita for reporting this issue.

### Impact In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. ### Patches This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this. ### Workarounds If you are dependent on an older version of `evm` and cannot update due to API interface changes, please contact Wei by email (wei@that.world), who will be happy to help you to publish patch releases for older `evm` versions. ### References Fix PR: https://github.com/rust-blockchain/evm/pull/67 ### For more information If you have any questions or comments about this advisory: * Open an issue in the `evm` repo. ### Special thanks Special thanks to @rakita for reporting this issue.

La crate evm es una implementación pura de Rust de la máquina virtual de Ethereum. En "evm" crate "versiones anteriores a 0.31.0", la condición del opcode "JUMPI" se comprueba después de la comprobación de validez del destino. Sin embargo, de acuerdo con Geth y OpenEthereum, la comprobación de la condición debe ocurrir antes de la comprobación de la validez del destino. Este es un aviso de seguridad **elevada** si usas la crate "evm" para la mainnet de Ethereum. En este caso, debe actualizar su dependencia de la biblioteca inmediatamente a la versión "0.31.0" o posterior. Este es un aviso de seguridad de **baja** gravedad si usas "evm" crate en Frontier o en una blockchain independiente, porque no se presenta ninguna explotación de seguridad posible con este aviso. No se recomienda actualizar a la versión "0.31.0" o posterior hasta que se hayan realizado todos los preparativos normales de actualización de la cadena. Si usa Frontier u otra cadena de bloques basada en "pallet-evm", asegúrese de actualizar su "spec_version" antes de actualizar esto. Para otras blockchains, por favor asegúrese de seguir un proceso de hard-fork antes de actualizar esto