-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/cosmos/evm | go | >= 0.3.0, < 0.3.2 | 0.3.2 |
| github.com/cosmos/evm | go | >= 0.4.0, < 0.4.2 | 0.4.2 |
Miggo AIRoot Cause AnalysisThe vulnerability is a critical state desynchronization issue between the Cosmos SDK's native bank module and the EVM's state database within the cosmos/evm module. The root cause is twofold:
Improper State Reversion: The EVM's snapshot and revert mechanism did not account for the SDK's EventManager. When a nested operation within an EVM transaction was reverted (e.g., using a try-catch block in a Solidity contract), the events emitted by the reverted operation were not cleared from the transaction's event log. The StateDB.RevertToSnapshot function was missing the logic to restore the event manager to its previous state.
Shared Global State in Precompiles: A single, shared instance of a BalanceHandler was used across all precompile executions within a single transaction. In scenarios involving recursive precompile calls (where one precompile-interacting contract calls another), the inner call would overwrite the state of the shared BalanceHandler.
The combination of these two flaws allowed an attacker to craft a transaction that triggers recursive precompile calls with reverts. The BalanceHandler, designed to synchronize EVM balances with native bank events, would then process the leftover 'ghost' events from the reverted calls. This would lead to incorrect balance updates in the EVM's stateDB, making it diverge from the source-of-truth balances in the bank module, which could be exploited by an attacker.
The patch addresses these issues by:
StateDB.Snapshot and StateDB.RevertToSnapshot to correctly save and restore the EventManager state, ensuring events from reverted calls are discarded.BalanceHandlerFactory to ensure that each precompile execution gets a new, clean BalanceHandler instance, preventing state corruption between recursive calls.A Semantic Attack on Google Gemini - Read the Latest Research