Description
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. There is an issue with how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that is using the contract address as the sender parameter in an ICS20 transfer using the ICS20 precompile. This is in essence the "infinite money glitch" allowing contracts to double the supply of Evmos after each transaction.The issue has been patched in versions >=V18.1.0.
Details
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Packages
| Software | From version | Fixed in |
|---|---|---|
| evmos | — | 18.1.0 |
| github.com/evmos/evmos | — | — |
| github.com/evmos/evmos/v10 | — | — |
| github.com/evmos/evmos/v11 | — | — |
| github.com/evmos/evmos/v12 | — | — |
| github.com/evmos/evmos/v13 | — | — |
| github.com/evmos/evmos/v14 | — | — |
| github.com/evmos/evmos/v15 | — | — |
| github.com/evmos/evmos/v16 | — | — |
| github.com/evmos/evmos/v17 | — | — |
| github.com/evmos/evmos/v18 | — | — |
| github.com/evmos/evmos/v2 | — | — |
| github.com/evmos/evmos/v3 | — | — |
| github.com/evmos/evmos/v4 | — | — |
| github.com/evmos/evmos/v5 | — | — |
| github.com/evmos/evmos/v6 | — | — |
| github.com/evmos/evmos/v7 | — | — |
| github.com/evmos/evmos/v8 | — | — |
| github.com/evmos/evmos/v9 | — | — |
References
Similar Threats
- High CVE-2024-39696
- Low CVE-2024-37158
- Low CVE-2024-37159
- High CVE-2024-37153
- Medium CVE-2024-37154
Free Vulnerability Check
Is your WordPress site affected?
BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.
Scan My Site Free →No credit card required · Results in minutes
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.