CVE-2024-37158info

Summary

by MITRE • 06/17/2024

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Preliminary checks on actions computed by the clawback vesting accounts are performed in the ante handler. Evmos core, implements two different ante handlers: one for Cosmos transactions and one for Ethereum transactions. Checks performed on the two implementation are different. The vulnerability discovered allowed a clawback account to bypass Cosmos ante handler checks by sending an Ethereum transaction targeting a precompile used to interact with a Cosmos SDK module. This vulnerability is fixed in 18.0.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/08/2026

The Evmos platform represents a significant integration of Ethereum Virtual Machine functionality within the Cosmos ecosystem, creating a unique environment where both Cosmos and Ethereum transaction types coexist. This dual-transaction architecture introduces complex security considerations as the platform must maintain proper validation boundaries between the two distinct transaction processing pipelines. The vulnerability stems from an inconsistency in how ante handlers validate transactions across these different execution paths, specifically affecting clawback vesting accounts that require careful monitoring and control mechanisms. The security model relies on proper segregation between Cosmos and Ethereum transaction processing to prevent unauthorized actions that could compromise account integrity and fund security.

The technical flaw manifests in the differential validation logic between the Cosmos and Ethereum ante handler implementations within Evmos core. While the Cosmos ante handler performs comprehensive checks on clawback vesting accounts, the Ethereum ante handler lacks equivalent validation mechanisms. This discrepancy allows malicious actors to exploit a specific pathway where an Ethereum transaction targeting a precompile interface for Cosmos SDK modules can bypass the Cosmos-specific validation checks. The vulnerability specifically affects clawback vesting accounts, which are designed to hold funds that can be reclaimed under certain conditions, making this a critical security concern for fund protection mechanisms. The precompile interface serves as an unexpected attack vector that enables bypassing the intended security controls through the Ethereum transaction pathway.

The operational impact of this vulnerability extends beyond simple transaction validation failures to potentially compromise the entire clawback vesting system's integrity. Attackers could exploit this weakness to execute unauthorized clawback operations, effectively allowing them to access funds that should remain restricted under the vesting schedule. The vulnerability demonstrates a fundamental flaw in the security boundary between Cosmos and Ethereum transaction processing, creating a potential attack surface that could enable financial loss and undermine trust in the platform's fund management capabilities. This issue particularly affects accounts where fund recovery or clawback mechanisms are critical for compliance and security purposes, as the bypass allows unauthorized access to these controlled resources.

Mitigation strategies for this vulnerability require implementing consistent validation logic across both ante handler implementations, ensuring that all transaction types undergo identical security checks regardless of their execution pathway. The fix implemented in version 18.0.0 addresses this by harmonizing the validation processes between Cosmos and Ethereum transaction handlers, eliminating the discrepancy that enabled the bypass. Organizations should verify that all precompile interfaces maintain proper access controls and that cross-chain transaction validation boundaries are properly enforced. This vulnerability highlights the importance of maintaining security consistency across multi-chain platforms and underscores the necessity of thorough testing of all transaction pathways. The remediation approach aligns with security best practices outlined in the CWE catalog for cross-cutting concerns in multi-platform systems and represents a defensive measure against privilege escalation attacks that could leverage similar validation inconsistencies.

Disclosure

06/17/2024

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!