CVE-2025-54427
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-28

Last updated on: 2025-07-29

Assigner: GitHub, Inc.

Description
Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. The extrinsic note_min_gas_price_target is an inherent extrinsic, meaning only the block producer can call it. To ensure correctness, the ProvideInherent trait should be implemented for each inherent, which includes the check_inherent call. This allows other nodes to verify if the input (in this case, the target value) is correct. However, prior to commit a754b3d, the check_inherent function has not been implemented for note_min_gas_price_target. This lets the block producer set the target value without verification. The target is then used to set the MinGasPrice, which has an upper and lower bound defined in the on_initialize hook. The block producer can set the target to the upper bound. Which also increases the upper and lower bounds for the next block. Over time, this could result in continuously raising the gas price, making contract execution too expensive and ineffective for users. An attacker could use this flaw to manipulate the gas price, potentially leading to significantly inflated transaction fees. Such manipulation could render contract execution prohibitively expensive for users, effectively resulting in a denial-of-service condition for the network. This is fixed in version a754b3d.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-28
Last Modified
2025-07-29
Generated
2026-05-07
AI Q&A
2025-07-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54427
EUVD
EUVD-2025-22951
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
polkadot frontier *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-682 The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Polkadot Frontier's note_min_gas_price_target extrinsic, which is supposed to be called only by the block producer. The problem is that the check_inherent function, which verifies the correctness of the target gas price value, was not implemented. This allows the block producer to set the gas price target without any verification, potentially setting it to the upper bound. Over time, this can cause the gas price to continuously increase, making contract execution very expensive or ineffective for users. Essentially, an attacker controlling the block producer can manipulate gas prices to create a denial-of-service condition by inflating transaction fees.


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to significantly inflated gas prices on the Polkadot Frontier network. This makes executing smart contracts prohibitively expensive for users, effectively causing a denial-of-service condition. Users may find it too costly or impossible to perform transactions or interact with contracts, disrupting normal network operations and user experience.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update Polkadot Frontier to the fixed version that includes commit a754b3d, which implements the check_inherent function for note_min_gas_price_target. This prevents block producers from manipulating the gas price. Until the update is applied, monitor for unusual increases in gas price and consider restricting block producer privileges if possible.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart