Impact

There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety.

For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts.

The underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract.

Patches

The issue is fixed in PR 1655.

The issue only affects you if you use a custom precompile implementation that utilize AddressType::EOA and AddressType::Contract. It's not directly exploitable in any of the predefined precompiles in Frontier.

Credits

This issue is discovered in a security audit by SRLabs with the Moonbeam team. Polkadot Assurance Legion (PAL) financially contributed to the security audit.