CVE-2024-37153
HIGHevmos < 18.1.0 - Always-Incorrect Control Flow Implementation in ICS20 Transfer
Title source: llmDescription
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. There is an issue with how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that is using the contract address as the sender parameter in an ICS20 transfer using the ICS20 precompile. This is in essence the "infinite money glitch" allowing contracts to double the supply of Evmos after each transaction.The issue has been patched in versions >=V18.1.0.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc
Patch x_refsource_misc
https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7
Scores
CVSS v3
7.5
EPSS
0.0062
EPSS Percentile
44.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-670
Status
published
Products (2)
evmos/evmos
< 18.1.0
evmos/evmos
0 - 18.1.0 (13 CPE variants)Go
Published
Jun 06, 2024
Tracked Since
Feb 18, 2026