CVE-2024-32644
CVE-2024-32644
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- Scope
- Unchanged
- Confidentiality
- None
- Integrity
- High
- Availability
- High
Description
Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Prior to 17.0.0, there is a way to mint arbitrary tokens due to the possibility to have two different states not in sync during the execution of a transaction. The exploit is based on the fact that to sync the Cosmos SDK state and the EVM one, we rely on the `stateDB.Commit()` method. When we call this method, we iterate though all the `dirtyStorage` and, **if and only if** it is different than the `originStorage`, we set the new state. Setting the new state means we update the Cosmos SDK KVStore. If a contract storage state that is the same before and after a transaction, but is changed during the transaction and can call an external contract after the change, it can be exploited to make the transaction similar to non-atomic. The vulnerability is **critical** since this could lead to drain of funds through creative SC interactions. The issue has been patched in versions >=V17.0.0.
Comprehensive Technical Analysis of CVE-2024-32644
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2024-32644
Description: Evmos, a scalable, high-throughput Proof-of-Stake EVM blockchain compatible with Ethereum, has a critical vulnerability in versions prior to 17.0.0. The issue arises from the possibility of having two different states not in sync during the execution of a transaction. This discrepancy can be exploited to mint arbitrary tokens, leading to potential draining of funds through creative smart contract (SC) interactions.
Severity: The CVSS score of 9.1 indicates a critical vulnerability. This high score is due to the potential for significant financial loss and the complexity of the exploit, which involves manipulating the state synchronization mechanism between the Cosmos SDK and the EVM.
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- State Manipulation: An attacker can manipulate the contract storage state during a transaction to make it appear unchanged before and after the transaction, while actually modifying it during the transaction.
- External Contract Calls: By calling an external contract after modifying the state, the attacker can exploit the non-atomic nature of the transaction, leading to unintended state changes.
Exploitation Methods:
- Token Minting: The attacker can mint arbitrary tokens by exploiting the state synchronization issue.
- Fund Draining: Creative smart contract interactions can be used to drain funds from vulnerable contracts.
3. Affected Systems and Software Versions
Affected Systems:
- Evmos blockchain versions prior to 17.0.0.
Software Versions:
- All versions of Evmos before 17.0.0 are vulnerable.
4. Recommended Mitigation Strategies
Immediate Actions:
- Upgrade to Version 17.0.0 or Later: Ensure that all nodes and applications using Evmos are upgraded to version 17.0.0 or later, where the vulnerability has been patched.
- Monitor Transactions: Implement monitoring for unusual transaction patterns that may indicate an exploit attempt.
- Audit Smart Contracts: Conduct thorough audits of smart contracts to identify and mitigate potential vulnerabilities.
Long-Term Strategies:
- Regular Security Audits: Conduct regular security audits of the blockchain and smart contracts.
- Community Awareness: Educate the community about the importance of keeping their nodes and applications up to date.
- Incident Response Plan: Develop and maintain an incident response plan to quickly address any future vulnerabilities.
5. Impact on Cybersecurity Landscape
Immediate Impact:
- Financial Loss: Potential for significant financial loss due to the draining of funds.
- Reputation Damage: Loss of trust in the Evmos blockchain and associated smart contracts.
Long-Term Impact:
- Increased Scrutiny: Greater scrutiny of blockchain security practices and smart contract audits.
- Enhanced Security Measures: Adoption of more robust security measures and best practices in the blockchain industry.
6. Technical Details for Security Professionals
Technical Overview:
The vulnerability stems from the stateDB.Commit() method, which iterates through all dirtyStorage and updates the Cosmos SDK KVStore only if the dirtyStorage differs from the originStorage. An attacker can exploit this by ensuring the contract storage state appears unchanged before and after a transaction, while actually modifying it during the transaction.
Code Reference:
- Vulnerable Code:
if dirtyStorage != originStorage { // Update the Cosmos SDK KVStore }
Patch Details:
- Patch Commit: 08982b5ee726b97bc50eaf58d1914829648b6a5f
- Patch Overview: The patch ensures that the state synchronization mechanism is more robust, preventing the exploitation of the non-atomic transaction issue.
References:
Conclusion
CVE-2024-32644 is a critical vulnerability in the Evmos blockchain that can lead to significant financial loss and reputational damage. Immediate mitigation involves upgrading to the patched version and implementing robust monitoring and auditing practices. The long-term impact includes increased scrutiny and the adoption of enhanced security measures in the blockchain industry. Security professionals should prioritize addressing this vulnerability to protect against potential exploits.