Polkadot Frontier Smart Contract Precompile Call Bypass Vulnerability

A vulnerability exists in Polkadot Frontier's handling of precompiled contracts, allowing smart contracts under construction to bypass address type checks and access precompiles that should be restricted. This issue arises because the system incorrectly identifies these contracts as externally owned accounts (EOAs) instead of recognizing them as contracts. The vulnerability is present in versions prior to commit 0822030 and affects custom precompile implementations that rely on accurate address type distinctions.

Impact

Exploitation of this vulnerability could lead to unauthorized access to precompiled contract functionalities, potentially allowing for complex logic-based attacks that manipulate the state or behavior of the application.

Reproduction

The vulnerability can be reproduced by deploying a smart contract that calls a precompiled contract during its construction phase. Since the contract is not yet fully initialized, the address type check will incorrectly classify it as an EOA, allowing the call to succeed. This can be verified by attempting the same call from a fully deployed contract, which will fail as expected.

Remediation

Users should update to Polkadot Frontier version 0822030 or later, where this vulnerability has been fixed.