Homepage
About Snyk

Improper Synchronization Affecting github.com/evmos/evmos/precompiles package, versions <17.0.0

0.0
critical

Snyk CVSS

    Attack Complexity Low
    Integrity High
    Availability High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMEVMOSEVMOSPRECOMPILES-6595984
  • published 11 Apr 2024
  • disclosed 10 Apr 2024
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 10 Apr 2024

New CVE NOT AVAILABLE CWE-662 Open this link in a new tab

How to fix?

Upgrade github.com/evmos/evmos/precompiles to version 17.0.0 or higher.

Overview

Affected versions of this package are vulnerable to Improper Synchronization due to the interaction between stateObject and StateDB during transaction execution. An attacker can mint arbitrary tokens by exploiting the lack of synchronization between the Cosmos SDK state and the EVM state. This is achieved by manipulating the transaction execution process to have two different states not in sync, specifically by altering the contract storage state before and after a transaction while changing it during the transaction to call an external contract. This vulnerability could lead to a significant drain of funds through creative, smart contract interactions.