CVE-2024-21629: 
Rust vulnerability analysis and mitigation

Rust EVM, an Ethereum Virtual Machine interpreter, contains a vulnerability in versions <= 0.41.0 related to the record_external_operation feature. This feature, which allows library users to record custom gas changes, was found to have problematic interactions with the call stack during the finalization of CREATE or CREATE2 operations. The vulnerability was discovered and disclosed on January 2, 2024, and has been assigned CVE-2024-21629 (NVD, GitHub Advisory).

During the finalization of CREATE or CREATE2 operations, when substack execution succeeds, the implementation first commits the substate and then calls record_external_operation(Write(out_code.len())). If record_external_operation subsequently fails, the error is incorrectly propagated to the parent call stack instead of returning 'Succeeded', despite the substate commitment having already occurred. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (GitHub Advisory).

The vulnerability allows smart contracts to commit state changes even when the parent caller contract receives a zero address, which typically indicates execution failure. This behavior could lead to unexpected state changes in the blockchain. The impact is limited to library users who implement custom record_external_operation functions that return errors (GitHub Advisory).

The vulnerability has been patched in version 0.41.1 of Rust EVM. Users should upgrade to this version or later to address the issue. No alternative workarounds are available (GitHub Advisory, GitHub PR).