CVE-2024-37153

Name of the Vulnerable Software and Affected Versions Evmos versions prior to V18.1.0

Description The issue is related to liquid staking using Safe, which is a contract. The bug appears when there is a local state change together with an ICS20 transfer in the same function, and it uses the contract's balance. This is essentially the "infinite money glitch" allowing contracts to double the supply of Evmos after each transaction.

Recommendations For versions prior to V18.1.0, update to a version >=V18.1.0 to patch the issue. As a temporary workaround, consider restricting the use of the contract's balance in ICS20 transfers to minimize the risk of exploitation. Avoid using the sender parameter with the contract address in ICS20 transfers using the ICS20 precompile until the issue is resolved.