CVE-2021-43839 in Cronos
Summary
by MITRE • 12/21/2021
Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/25/2021
The vulnerability identified as CVE-2021-43839 affects the Cronos blockchain implementation, which operates as a commercial blockchain platform built on Cosmos SDK infrastructure. This security flaw exists in versions prior to v0.6.5 and represents a critical financial integrity issue that could allow malicious actors to manipulate transaction fee collection mechanisms. The vulnerability specifically targets the FeeCollector module within the Cosmos SDK framework that manages transaction fees for network operations.
The technical exploitation of this vulnerability occurs through the manipulation of Ethereum-compatible transaction messages using the MsgEthereumTx type. Attackers can craft custom transaction payloads that exploit a flaw in how the Cronos node processes fee collection for the current block. This allows unauthorized parties to extract transaction fees that should normally be collected and distributed to validators, effectively creating a mechanism for fee theft or manipulation. The vulnerability leverages the interoperability between Ethereum transaction formats and the Cosmos SDK's fee handling system, creating an unexpected interaction that bypasses normal security controls.
The operational impact of this vulnerability extends beyond simple financial loss as it undermines the fundamental economic security model of the Cronos network. Validator nodes that remain on vulnerable versions become susceptible to fee extraction attacks that could significantly impact their revenue streams and overall network security. The vulnerability affects the entire validator ecosystem since any node operator running pre-v0.6.5 versions could potentially be compromised, leading to cascading effects on network stability and trust. This represents a critical issue in blockchain consensus mechanisms where economic incentives must remain intact for proper network operation.
The fix implemented in Cronos v0.6.5 addresses the core issue by properly validating transaction fee handling within the Ethereum transaction processing pipeline. This upgrade ensures that MsgEthereumTx messages correctly interact with the FeeCollector module without allowing unauthorized fee extraction. Security researchers have classified this vulnerability under CWE-284 Access Control, as it involves improper authorization mechanisms for fee collection. From an ATT&CK framework perspective, this represents a privilege escalation technique that targets the financial integrity of the network through transaction manipulation. The lack of tested workarounds means that node operators must perform immediate upgrades rather than implementing temporary mitigations, emphasizing the critical nature of this vulnerability. Network-wide security depends on prompt adoption of the patched version, as the vulnerability could enable coordinated attacks that compromise validator economic incentives and overall network security posture.