Description

Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It's not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030.

INFO

Published Date :

2025-07-28T20:34:56.710Z

Last Modified :

2025-07-28T20:46:59.149Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-54429 vulnerability.

Vendors Products
Polkadot
  • Frontier
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-54429.

URL Resource
https://dotpal.io/assets/files/frontier-srlabs-2505-718c3bfa5df9fed1862fed05de506859.pdf cve-icon cve-icon
https://github.com/polkadot-evm/frontier/pull/1655 cve-icon cve-icon
https://github.com/polkadot-evm/frontier/security/advisories/GHSA-fr62-ppwc-mc2h cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability