Listen to this Post
How the CVE Works
The vulnerability arises because Ethereumβs `ethereumcrate` (v0.17.0 and earlier) fails to enforce transaction malleability checks for EIP-2930, EIP-1559, and EIP-7702 transactions, despite implementing them for legacy transactions. Malleability allows attackers to alter transaction signatures without invalidating them, potentially causing inconsistencies in transaction tracking. While this does not directly enable fund theft, it violates EIP-2 specifications and could disrupt applications relying on unique transaction IDs. The issue is fixed in ethereum v0.18.0.
DailyCVE Form
Platform: Ethereum
Version: <0.18.0
Vulnerability: Malleability bypass
Severity: Moderate
Date: Jul 2, 2025
Prediction: Patch available (v0.18.0)
What Undercode Say
Analytics:
Check crate version
cargo tree | grep ethereum
Verify transaction malleability
fn check_malleability(tx: &Transaction) -> bool {
!tx.is_legacy() && tx.signature.is_malleable()
}
How Exploit
- Modify EIP-2930/1559/7702 transaction signatures post-signing.
- Create duplicate transactions with altered signatures.
Protection from this CVE
- Upgrade to
ethereum v0.18.0. - Manually validate non-legacy TX malleability.
Impact
- Mainnet: High (spec deviation).
- Private chains: Low (no direct exploit).
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
