Skip to content

Restrict EVM access to EOAs with proven malicious activity #8272

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
j1010001 merged 25 commits into from
Jan 3, 2026
Merged

Restrict EVM access to EOAs with proven malicious activity #8272

j1010001 merged 25 commits into from
Jan 3, 2026

Conversation

@m-Peter
Copy link
Collaborator

@m-Peter m-Peter commented Dec 28, 2025
edited
Loading

This will also resume all EVM operations for the public.

@m-Peter m-Peter self-assigned this Dec 28, 2025
@m-Peter m-Peter requested a review from a team as a code owner December 28, 2025 20:13
@coderabbitai
Copy link

coderabbitai bot commented Dec 28, 2025
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov-commenter
Copy link

codecov-commenter commented Dec 28, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 31.81818% with 15 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
fvm/evm/emulator/emulator.go 41.17% 8 Missing and 2 partials ⚠️
fvm/evm/types/result.go 0.00% 3 Missing ⚠️
utils/unittest/execution_state.go 0.00% 2 Missing ⚠️

📢 Thoughts on this report? Let us know!

@m-Peter m-Peter force-pushed the mpeter/disable-evm-state-mutation branch from ee53efc to baae296 Compare December 28, 2025 20:22
peterargue
peterargue reviewed Dec 28, 2025
View reviewed changes
fvm/evm/stdlib/contract.cdc Outdated
gasLimit: gasLimit,
value: value.attoflow
) as! Result
panic("EVM transactions are temporarily disabled")
Copy link
Contributor

@peterargue peterargue Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will prevent script executions from calling into EVM right?

Copy link
Contributor

@peterargue peterargue Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nevermind. that uses dryCall

Copy link
Collaborator Author

@m-Peter m-Peter Dec 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, we have dryCall for that. I have only updated APIs that mutate the EVM state.

@m-Peter m-Peter changed the title Freeze all EVM APIs that mutate state Temporarily disable all EVM APIs that mutate state Dec 28, 2025
@m-Peter m-Peter force-pushed the mpeter/disable-evm-state-mutation branch from baae296 to 4a3ef39 Compare December 28, 2025 20:43
@peterargue
Copy link
Contributor

peterargue commented Dec 28, 2025
edited
Loading

@m-Peter do we also need to disable?

  • depositNFT
  • withdrawNFT
  • depositTokens
  • withdrawTokens
  • createCadenceOwnedAccount

@m-Peter
Copy link
Collaborator Author

m-Peter commented Dec 28, 2025
edited
Loading

@peterargue All the bridge related operations, under the hood use COAs, and since we have disabled those, I think we're safe. There's no way for the bridge to mutate EVM state, all public APIs that mutate EVM state are disabled.

createCadenceOwnedAccount This is usually part of the creation of Flow accounts in wallets. Do we want to break those transactions too? I am not sure if creating COAs is problematic, because its operations are already disabled.

@turbolent turbolent mentioned this pull request Dec 29, 2025
Merged
@m-Peter m-Peter force-pushed the mpeter/disable-evm-state-mutation branch from 4a3ef39 to 11d2be4 Compare December 31, 2025 10:46
@m-Peter m-Peter changed the title Temporarily disable all EVM APIs that mutate state White-list EVM transactions to list of EOAs for remediation actions Dec 31, 2025
@m-Peter m-Peter changed the title White-list EVM transactions to list of EOAs for remediation actions White-list EVM transactions to certain EOAs for remediation actions Dec 31, 2025
@liobrasil

This comment was marked as outdated.

Sign in to view
@j1010001 j1010001 changed the title White-list EVM transactions to certain EOAs for remediation actions Allow-list EVM transactions to certain EOAs for remediation actions Dec 31, 2025
@j1010001 j1010001 mentioned this pull request Dec 31, 2025
Closed
@m-Peter m-Peter force-pushed the mpeter/disable-evm-state-mutation branch from dec905a to 4ecb6fa Compare January 1, 2026 10:57
This was referenced Jan 1, 2026
Closed
Closed
joshuahannan
joshuahannan reviewed Jan 1, 2026
View reviewed changes
fvm/evm/stdlib/contract.cdc
Comment on lines +1031 to +1046
/// This is only a temporary measure and will be removed immediately
/// after the remediation of the illicit tokens
// in the Dec 2025 security incident is complete.
/// This function can only be called from the `FlowServiceAccount` contract,
/// and only from the holder of `FlowServiceAccount.Administrator` resource.
access(account)
fun reclaimFundsFromAttackerEOAs(from: String, to: String, amount: UInt): Result {
return InternalEVM.call(
from: EVM.addressFromString(from).bytes,
to: EVM.addressFromString(to).bytes,
data: [],
gasLimit: 1_000_000,
value: amount
) as! Result
}

Copy link
Member

@joshuahannan joshuahannan Jan 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be removed, right?

Copy link
Member

@j1010001 j1010001 Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it could be - I believe all EOAs have been reclaimed, but we can also do this bit later, not critical IMO

Copy link
Collaborator Author

@m-Peter m-Peter Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can remove this, if we are not interested in claiming the 1,005 USDF from the EOA address. However, this can be done later on I think. Because we also have to update the FlowServiceAccount, it is currently referencing this function.

@zhangchiqing zhangchiqing mentioned this pull request Jan 2, 2026
Merged
zhangchiqing
zhangchiqing reviewed Jan 2, 2026
View reviewed changes
fvm/evm/emulator/restricted_eoa_test.go
// Ethereum addresses are case-insensitive in hex representation
// but gethCommon.HexToAddress normalizes to lowercase
addr1 := gethCommon.HexToAddress("0x2e7C4b71397f10c93dC0C2ba6f8f179A47F994e1")
addr2 := gethCommon.HexToAddress("0x2e7c4b71397f10c93dc0c2ba6f8f179a47f994e1")
Copy link
Member

@zhangchiqing zhangchiqing Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some test case to double check the same address in different case format will still be rejected.

peterargue
peterargue reviewed Jan 2, 2026
View reviewed changes
fvm/evm/emulator/emulator.go Outdated
}

// Restrict access to EVM, for EOAs with proven malicious activity
if slices.Contains(restrictedEOAs, msg.From) {
Copy link
Contributor

@peterargue peterargue Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this check still be here now that it's done in run?

@j1010001 j1010001 mentioned this pull request Jan 2, 2026
Merged
peterargue
peterargue reviewed Jan 2, 2026
View reviewed changes
fvm/evm/emulator/emulator.go Outdated
txType uint8,
) (*types.Result, error) {
// Restrict access to EVM, for EOAs with proven malicious activity
if isRestrictedEOA(msg.From) {
Copy link
Contributor

@peterargue peterargue Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is also called within dryRun
https://github.com/onflow/flow-go/blob/mpeter/disable-evm-state-mutation/fvm/evm/emulator/emulator.go#L351

I'm guessing that is fine, but double checking

@j1010001 j1010001 mentioned this pull request Jan 2, 2026
Merged
@j1010001
Merge pull request #8289 from onflow/jan/pr-8272-with-AN-compatibilit…
a9d2961 
…y-for-v0.44.14

add AN compatibility for v0.44.14 - restrict only EOAs
@j1010001 j1010001 merged commit a7bf11e into v0.44 Jan 3, 2026
57 checks passed
@j1010001 j1010001 deleted the mpeter/disable-evm-state-mutation branch January 3, 2026 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turbolent turbolent turbolent approved these changes

@zhangchiqing zhangchiqing zhangchiqing approved these changes

@joshuahannan joshuahannan joshuahannan approved these changes

@j1010001 j1010001 j1010001 left review comments

@janezpodhostnik janezpodhostnik janezpodhostnik approved these changes

@peterargue peterargue peterargue approved these changes

@tarakby tarakby Awaiting requested review from tarakby

Assignees

@m-Peter m-Peter

Labels

Flow EVM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@m-Peter @codecov-commenter @peterargue @liobrasil @turbolent @zhangchiqing @joshuahannan @j1010001 @janezpodhostnik