CVE-2024-32644

Name of the Vulnerable Software and Affected Versions Evmos versions prior to 17.0.0

Description The issue arises from the possibility of having two different states not in sync during the execution of a transaction, allowing for the minting of arbitrary tokens. This is due to the reliance on the stateDB.Commit() method to sync the Cosmos SDK state and the EVM state. When this method is called, it iterates through all the dirtyStorage and updates the state only if it is different from the originStorage. If a contract storage state is the same before and after a transaction but is changed during the transaction and can call an external contract after the change, it can be exploited to make the transaction similar to non-atomic. This could lead to a drain of funds through creative smart contract interactions.

Recommendations For versions prior to 17.0.0, update to version 17.0.0 or later to resolve the issue. As a temporary workaround, consider restricting the use of smart contracts that can call external contracts after a state change to minimize the risk of exploitation. Avoid using contracts that have storage states that are the same before and after a transaction but are changed during the transaction.