Improper Synchronization Affecting github.com/evmos/evmos/v16/precompiles package, versions <17.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMEVMOSEVMOSV16PRECOMPILES-6595986
- published 15 Apr 2024
- disclosed 10 Apr 2024
- credit Unknown
How to fix?
Upgrade github.com/evmos/evmos/v16/precompiles to version 17.0.0 or higher.
Overview
Affected versions of this package are vulnerable to Improper Synchronization due to the interaction between stateObject and StateDB during transaction execution. An attacker can mint arbitrary tokens by exploiting the lack of synchronization between the Cosmos SDK state and the EVM state. This is achieved by manipulating the transaction execution process to have two different states not in sync, specifically by altering the contract storage state before and after a transaction while changing it during the transaction to call an external contract. This vulnerability could lead to a significant drain of funds through creative, smart contract interactions.