Lucene search

Veracode Vulnerability DatabaseVERACODE:46559

HistoryApr 22, 2024 - 6:14 a.m.

Improper Synchronisation

2024-04-2206:14:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

evmos

vulnerability

token minting

non-atomic transactions

fund drain

smart contracts

synchronization

statedb.commit()

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

https://github.com/evmos/evmos/ is vulnerable to Improper Synchronisation. The vulnerability is due to a lack of synchronization between two states during transaction execution, allowing for arbitrary token minting. This exploit occurs because the stateDB.Commit() method updates the Cosmos SDK KVStore only if the dirtyStorage is different from the originStorage, leaving a window for manipulation. The vulnerability allows for non-atomic transactions, potentially leading to fund drain through smart contract interactions.

CPENameOperatorVersion
github.com/evmos/evmoslev16.0.4
github.com/evmos/evmoslev16.0.4

CPE	Name	Operator	Version
	github.com/evmos/evmos	le	v16.0.4
	github.com/evmos/evmos	le	v16.0.4

References

github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/statedb.go#L460-L465

github.com/evmos/evmos/commit/08982b5ee726b97bc50eaf58d1914829648b6a5f

github.com/evmos/evmos/security/advisories/GHSA-3fp5-2xwh-fxm6

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

9.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.8%

JSON

Related for VERACODE:46559