Skip to content

EOS EVM v0.4.2 Release Notes
Compare
Choose a tag to compare
@arhag arhag released this 16 May 01:00
· 301 commits to main since this release
v0.4.2
3530f2c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This release fixes a critical security vulnerability discovered in EOS EVM. The components EOS EVM Contract, EOS EVM Node, and EOS EVM RPC must all be upgraded.

Components

EOS EVM Contract

PRs

  • (536) fix silkworm stability


The security vulnerability is related to the state objects tracking the reserved addresses of the trustless bridge and how they were not properly being undone in the case of an EVM execution context being reverted. If exploited, it could potentially allow an attacker to illegitimately drain all of the EOS stored by the EOS EVM Contract across the trustless bridge.

This vulnerability has already been patched in the deployment of EOS EVM on the EOS mainnet. It has also been patched in the deployment of EOS EVM on the Jungle4 testnet.

EOS EVM Node and RPC

PRs

  • (536) fix silkworm stability


The patch to the security vulnerability is in the silkworm engine shared by both the EOS EVM Contract and the EOS EVM Node. So the patched EOS EVM Node must also be deployed alongside the updated EOS EVM Contract to ensure consistency between the two components.

While it is sufficient to update the EOS EVM Contract to prevent any loss of funds, it is important to also update the EOS EVM Node otherwise the exploit could be used to take down the EOS EVM Node and EOS EVM RPC.

An additional stability improvement to EOS EVM Node is also included as part of this same release.

Building, compatibility, and upgrading

Compatibility

The fix to the security vulnerability is technically a breaking change to EOS EVM. However, the vulnerability does not appear to have been exploited on either the EOS EVM testnet or mainnet. Therefore, it becomes possible to treat the fix as simpler retroactive change of the EVM.

Upgrading

Upgrading EOS EVM Contract from v0.4.1 simply requires a setcode of the v0.4.2 contract. There are no changes to the ABI.

Upgrading EOS EVM Node and EOS EVM RPC from v0.4.1 only requires restarting the services with the updated binaries.

Further details on changes since last release

Contributors

Special thanks to the contributors that submitted patches for this release:

Full list of changes since last release

PRs

  • (513) Enable keep alive to read and test endpoint
  • (536) fix silkworm stability
  • (539) version bump 0.4.2


Full Changelog: v0.4.1...v0.4.2

Contributors

spoonincode, taokayan, and yarkinwho
Assets 2