CVE-2022-24738

Name of the Vulnerable Software and Affected Versions Evmos versions prior to 2.0.1

Description The issue allows attackers to drain unclaimed funds from user addresses by creating a new chain that does not enforce signature verification and connecting it to the target Evmos instance. The attacker can use this joined chain to transfer unclaimed funds. The vulnerability has the potential to affect and drain unclaimed airdrop funds from Cosmos and Osmosis eligible user addresses. It requires advanced knowledge of the internals of the core and application packages of IBC, IBC relayers, the Cosmos SDK AnteHandler, and the Evmos x/claims module. No users have suffered the loss of funds as no malicious chains have been connected to Evmos.

Recommendations For versions prior to 2.0.1, upgrade to version 2.0.1 as soon as possible. There are no known workarounds for this issue, and the fix is state machine breaking, requiring an upgrade procedure to be coordinated with the nodes running the network. As a temporary measure, consider restricting access to the x/claims module to minimize the risk of exploitation.