CVE-2025-54429
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-28

Last updated on: 2025-07-29

Assigner: GitHub, Inc.

Description
Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It's not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-28
Last Modified
2025-07-29
Generated
2026-05-06
AI Q&A
2025-07-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54429
EUVD
EUVD-2025-22949
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
polkadot frontier *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-704 The product does not correctly convert an object, resource, or structure from one type to a different type.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Polkadot Frontier involves an incorrect implementation of the CallableByContract mechanism, which determines whether certain precompiled contracts can be called by smart contracts. Specifically, the system mistakenly identified contract addresses created under CREATE or CREATE2 as externally owned accounts (EOA) instead of contract accounts. This misclassification affects users who implement custom precompiles relying on distinguishing between EOAs and contract accounts, potentially allowing unintended access paths. However, predefined precompiles in Frontier are not directly exploitable by this issue. The problem was fixed in version 0822030.


How can this vulnerability impact me? :

If you use custom precompile implementations that depend on correctly identifying account types (EOA vs. contract), this vulnerability could lead to incorrect access control, potentially allowing smart contracts to call precompiles they should not be able to. This could result in unintended behavior or security risks in your smart contract interactions. However, if you only use predefined precompiles, this vulnerability does not directly affect you.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Polkadot Frontier to version 0822030 or later, where the issue with CallableByContract implementation is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart