9.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-v6rw-hhgg-wc4x

EPSS Score

CWE

Published

4/17/2024

Updated

4/17/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-v6rw-hhgg-wc4x

GHSA-v6rw-hhgg-wc4x:
Evmos vulnerable to DOS and transaction fee expropiation through Authz exploit

Impact

What kind of vulnerability is it? Who is impacted?

An attacker can use this bug to bypass the block gas limit and gas payment completely to perform a full Denial-of-Service against the chain.

Disclosure

Evmos versions below v11.0.1 do not check for MsgEthereumTx messages that are nested under other messages. This allows a malicious actor to perform EVM transactions that do not meet the checks performed under newEthAnteHandler. This opens the possibility for the DOS of validators and consequently halt the chain through an infinite EVM execution.

Additional details

The attack scenario is as follows:

The attacker deploys a simple smart contract with an infinite loop to the chain.
The attacker calls the smart contract using an embedded transaction with an extremely high gas value (uint64 max or similar).
Once the transaction is included in a block, nodes will try to execute the EVM transaction with almost infinite gas and get stuck. This stops new block creation and effectively halts the chain, requiring a manual restart of all nodes.

Users Impacted

All Evmos users are impacted by this vulnerability as it has the potential to halt the chain. Users' funds and chain state are safe but when under attack, the chain could be deemed unusable.

Patches

Has the problem been patched? What versions should users upgrade to?

The vulnerability has been patched on Evmos versions ≥v12.0.0.

Details

As a temporary workaround, the fix blocks MsgEthereumTxs messages from being sent under the authz module's MsgExec message. It also covers the scenario in which MsgEthereumTx are deeply nested by:

Doing a recursive check over the nested messages of MsgExec
Limiting the amount of possible nested messages (inner messages) in MsgExec

This is done by adding an additional AnteHandler decorator (AuthzLimiterDecorator) for Cosmos and EIP-712 transactions.

This is a state machine-breaking change as it restricts previously allowed messages and thus requires a hard-fork upgrade.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Reach out to the Core Team in Discord
Open a discussion in evmos/evmos
Email us at security@evmos.org for security questions
For Press, email us at evmos@west-comms.com.

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-v6rw-hhgg-wc4x

EPSS Score

CWE

Published

4/17/2024

Updated

4/17/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/evmos/evmos/v11	go	< 12.0.0	12.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key gaps: 1) The authz module's MsgExec handler (authz.NewMsgExec) didn't recursively validate() nested MsgEthereumTx messages, and 2) The Ethereum-specific AnteHandler (newEthAnteHandler) wasn't applied to these nested messages. This allowed attackers to embed gas-unchecked EVM transactions. The fix explicitly adds recursive checks and a decorator (AuthzLimiterDecorator) to the AnteHandler chain, confirming these were the missing protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ *n *tt**k*r **n us* t*is *u* to *yp*ss t** *lo*k **s limit *n* **s p*ym*nt *ompl*t*ly to p*r*orm * *ull **ni*l-o*-S*rvi** ***inst t** ***in. ## *is*losur* *vmos v*rsions **low `v**.*.*

Reasoning

T** vuln*r**ility st*ms *rom two k*y **ps: *) T** *ut*z mo*ul*'s `Ms**x**` **n*l*r (`*ut*z.N*wMs**x**`) *i*n't r**ursiv*ly `v*li**t*()` n*st** `Ms**t**r*umTx` m*ss***s, *n* *) T** *t**r*um-sp**i*i* `*nt***n*l*r` (`n*w*t**nt***n*l*r`) w*sn't *ppli** t

9.1

Basic Information

Concerned about an active attack path?

GHSA-v6rw-hhgg-wc4x: Evmos vulnerable to DOS and transaction fee expropiation through Authz exploit

Impact

Disclosure

Additional details

Users Impacted

Patches

Details

References

For more information

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

GHSA-v6rw-hhgg-wc4x:
Evmos vulnerable to DOS and transaction fee expropiation through Authz exploit

Vulnerability Intelligence
Miggo AI