CVE-2025-54426 CRITICAL

CVE-2025-54426: Polkadot Frontier contains silent failure in Curve25519 arithmetic precompiles with malformed points

Vendor Polkadot-Evm
Product frontier
Weakness CWE-327 · Broken crypto
Published July 28, 2025
Last update July 28, 2025

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:N

What the vulnerability does

01Description

Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. In versions prior to commit 36f70d1, the Curve25519Add and Curve25519ScalarMul precompiles incorrectly handle invalid Ristretto point representations. Instead of returning an error, they silently treat invalid input bytes as the Ristretto identity element, leading to potentially incorrect cryptographic results. This is fixed in commit 36f70d1.

Key dates

02Disclosure timeline

July 28, 2025 CVE published
July 28, 2025 Record updated