CVE-2022-24738: 
vulnerability analysis and mitigation

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. In versions prior to 2.0.1, attackers were able to drain unclaimed funds from user addresses. The vulnerability was discovered and disclosed in March 2022, affecting all versions up to 1.1.2, with the patch released in version 2.0.0 (GitHub Advisory).

The vulnerability allowed attackers to create a new chain that does not enforce signature verification and connects it to the target Evmos instance. The attack involved creating a malicious chain with a custom AnteHandler that bypasses signature verification for transactions, specifically IBC MsgTransfer. This enabled impersonation of any account by manipulating the sender address field of the IBC transfer message. The vulnerability was classified as critical with a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) (GitHub Advisory).

The vulnerability had the potential to affect and drain unclaimed airdrop funds from Cosmos and Osmosis eligible user addresses. Attackers could claim up to 75% of the total initial claimable amount through two airdrop Actions and eventually claim 100% of all user funds. The stolen funds could then be transferred to another chain with a DEX and withdrawn through a centralized exchange. However, no users suffered actual loss of funds as no malicious chains were connected to Evmos (GitHub Advisory).

The vulnerability was patched in version 2.0.0 by implementing a list of authorized channels for chains connected to Evmos via IBC. By default, the authorized destination channels are 'channel-0' (Osmosis) and 'channel-3' (Cosmos Hub). Users were advised to upgrade their mainnet node and validator to v2.0.1 immediately. No workarounds were available as the fix required a state machine breaking change that needed to be coordinated with the nodes running the network (GitHub Advisory).