CVE-2024-37153

Public Exploit
Evmos's contract balance not updating correctly after interchain transaction

Description

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. There is an issue with how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that is using the contract address as the sender parameter in an ICS20 transfer using the ICS20 precompile. This is in essence the "infinite money glitch" allowing contracts to double the supply of Evmos after each transaction.The issue has been patched in versions >=V18.1.0.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.02%
Vendor Advisory github.com
Affected: evmos evmos
Published at:
Updated at:

References

Link Tags
https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc vendor advisory exploit
https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7 patch

Frequently Asked Questions

What is the severity of CVE-2024-37153?
CVE-2024-37153 has been scored as a high severity vulnerability.
How to fix CVE-2024-37153?
To fix CVE-2024-37153, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-37153 being actively exploited in the wild?
It is possible that CVE-2024-37153 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-37153?
CVE-2024-37153 affects evmos evmos.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.