Resource Exhaustion Affecting github.com/evmos/evmos/v11 package, versions <12.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMEVMOSEVMOSV11-6663929
- published 19 Apr 2024
- disclosed 17 Apr 2024
- credit Unknown
How to fix?
Upgrade github.com/evmos/evmos/v11 to version 12.0.0 or higher.
Overview
github.com/evmos/evmos/v11 is a scalable, high-throughput Proof-of-Stake blockchain that is fully compatible and interoperable with Ethereum.
Affected versions of this package are vulnerable to Resource Exhaustion due to missing checks of MsgEthereumTx messages that are nested under other messages. An attacker can bypass the block gas limit and gas payment, leading to a full chain halt by deploying a smart contract with an infinite loop and calling it with an embedded transaction with an extremely high gas value. This results in nodes attempting to execute the EVM transaction with almost infinite gas, getting stuck, and stopping new block creation. This vulnerability requires a manual restart of all nodes to resolve.
Workaround
This vulnerability can be mitigated by blocking MsgEthereumTxs messages from being sent under the authz module's MsgExec message and doing a recursive check over the nested messages of MsgExec, limiting the amount of possible nested messages in MsgExec through an additional AnteHandler decorator (AuthzLimiterDecorator).