CVE-2022-39354: 
Rust vulnerability analysis and mitigation

SputnikVM (also called evm) is a Rust implementation of Ethereum Virtual Machine that was found to contain a vulnerability in versions <= 0.35.0. The issue, identified as CVE-2022-39354, was discovered and disclosed on October 25, 2022. The vulnerability affects the handling of the is_static parameter in custom stateful precompiles (GitHub Advisory).

The vulnerability stems from incorrect handling of the is_static parameter in custom stateful precompiles. The parameter was only set to true if the call came directly from a STATICCALL opcode, whereas the correct behavior should maintain the static state once a static call context is entered. This implementation error could lead to incorrect state transitions in the Ethereum Virtual Machine (GitHub Advisory).

The vulnerability could result in incorrect state transitions in systems using affected versions of SputnikVM. While the usage of custom precompiles that utilize the is_static parameter was estimated to be low, the potential for incorrect state transitions led to this being classified as a high-severity vulnerability (GitHub Advisory).

The vulnerability was patched in version 0.36.0 of the evm crate. The fix was implemented through Pull Request #133. For users unable to upgrade to version 0.36.0, the project maintainers offered to release older patch versions upon request, which could be obtained by contacting the maintainer directly (GitHub Advisory).