Always-Incorrect Control Flow Implementation Affecting github.com/tharsis/evmos package, versions <0.6.5


0.0
high

Snyk CVSS

    Attack Complexity Low
    Integrity High

    Threat Intelligence

    EPSS 0.07% (29th percentile)
Expand this section
NVD
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMTHARSISEVMOS-2331757
  • published 7 Jan 2022
  • disclosed 6 Jan 2022
  • credit @zb3

How to fix?

Upgrade github.com/tharsis/evmos to version 0.6.5 or higher.

Overview

github.com/tharsis/evmos is a scalable, high-throughput Proof-of-Stake blockchain that is fully compatible and interoperable with Ethereum. It's built using the Cosmos SDK which runs on top of Tendermint Core consensus engine.

Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation as it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx.

User funds and balances are safe.