CVE-2022-46173: 
vulnerability analysis and mitigation

Elrond-GO, a Go implementation for the Elrond Network protocol, was found to contain a processing vulnerability (CVE-2022-46173) affecting versions prior to 1.3.50. The vulnerability was discovered and disclosed on December 28, 2022. The issue affects nodes when processing cross-shard relayed transactions with smart contract deploy transaction data (GitHub Advisory).

The vulnerability stems from a bad correlation between transaction caches and the processing component. When a transaction is sent with more gas than required, the smart contract result (SCR transaction) that should return the leftover gas is incorrectly added to a cache that the processing unit does not consider. This results in the node stopping its notarization of metachain blocks. The CVSS v3.1 score for this vulnerability is 6.5 (Medium) according to NVD, while GitHub rates it at 7.2 (High) (NVD).

The primary impact of this vulnerability is that affected nodes stop notarizing metachain blocks, which can disrupt the normal operation of the blockchain network. This occurs specifically when processing cross-shard relayed transactions with smart contract deploy transaction data that contain excess gas (GitHub Advisory).

The vulnerability has been patched in version 1.3.50 of Elrond-GO. The fix extends the SCR transaction search to all other caches if it isn't found in the correct (expected) sharded-cache. No workarounds were available prior to the patch, making upgrading to version 1.3.50 or later the only solution (GitHub Advisory).