Token Minting Vulnerability in Evmos Blockchain
CVE-2024-32644

9.1CRITICAL

Key Information:

Vendor: Evmos
Status: Evmos Blockchain
Vendor: CVE Published:; 19 April 2024

What is CVE-2024-32644?

Evmos, a high-throughput Proof-of-Stake EVM blockchain, is vulnerable to an exploit that allows the minting of arbitrary tokens. This issue arises from a desynchronized state between the Cosmos SDK and EVM during transaction execution. When the stateDB.Commit() method is invoked, it checks for differences in storage states. If a contract's storage remains unchanged before and after a transaction yet is modified during execution, an attacker can manipulate external contract calls, leading to non-atomic transactions. This vulnerability poses significant risks, as it can potentially drain funds through clever smart contract interactions. The incident has been remedied in versions 17.0.0 and later.

References

https://github.com/evmos/evmos/security/advisories/GHSA-3...

https://github.com/evmos/evmos/commit/08982b5ee726b97bc50...

https://github.com/evmos/evmos/blob/b196a522ba4951890b409...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 19, 2024