Evmos
CVE-2024-32644
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Prior to 17.0.0, there is a way to mint arbitrary tokens due to the possibility to have two different states not in sync during the execution of a transaction. The exploit is based on the fact that to sync the Cosmos SDK state and the EVM one, we rely on the stateDB.Commit() method. When we call this method, we iterate though all the dirtyStorage and, if and only if it is different than the originStorage, we set the new state. Setting the new state means we update the Cosmos SDK KVStore. If a contract storage state that is the same before and after a transaction, but is changed during the transaction and can call an external contract after the change, it can be exploited to make the transaction similar to non-atomic. The vulnerability is critical since this could lead to drain of funds through creative SC interactions. The issue has been patched in versions >=V17.0.0.
AnalysisAI
Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
This vulnerability is classified under CWE-662. Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Prior to 17.0.0, there is a way to mint arbitrary tokens due to the possibility to have two different states not in sync during the execution of a transaction. The exploit is based on the fact that to sync the Cosmos SDK state and the EVM one, we rely on the stateDB.Commit() method. When we call this method, we iterate though all the dirtyStorage and, if and only if it is different than the originStorage, we set the new state. Setting the new state means we update the Cosmos SDK KVStore. If a contract storage state that is the same before and after a transaction, but is changed during the transaction and can call an external contract after the change, it can be exploited to make the transaction similar to non-atomic. The vulnerability is critical since this could lead to drain of funds through creative SC interactions. The issue has been patched in versions >=V17.0.0. Affected products include: Evmos. Version information: Prior to 17.0.0.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Rated high severity (CVSS 7.5), this vulnerabilit
Ethermint is an Ethereum library. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authe
Evmos is a decentralized Ethereum Virtual Machine chain on the Cosmos Network. Rated high severity (CVSS 8.1), this vuln
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Rated high severity (CVSS 8.1), this vulnerabilit
Cronos is a commercial implementation of a blockchain. Rated high severity (CVSS 7.5), this vulnerability is remotely ex
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Rated high severity (CVSS 7.4), this vulnerabilit
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Rated medium severity (CVSS 6.5), this vulnerabil
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Rated medium severity (CVSS 5.3), this vulnerabil
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Rated medium severity (CVSS 4.3), this vulnerabil
Same weakness CWE-662 – Improper Synchronization
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today