CVE-2024-37153: 
vulnerability analysis and mitigation

A critical vulnerability was discovered in Evmos, the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network, affecting versions up to 18.0.0. The vulnerability, identified as CVE-2024-37153, was discovered while testing liquid staking functionality using Safe contract. The issue manifests when there is a local state change combined with an ICS20 transfer in the same function that uses the contract's balance (Evmos Advisory).

The vulnerability occurs specifically when using the contract address as the sender parameter in an ICS20 transfer via the ICS20 precompile. The bug appears only when there is a local state change together with an ICS20 transfer in the same function that uses the contract's balance. This implementation flaw allows contracts to manipulate token balances incorrectly during interchain transactions (Evmos Advisory).

The vulnerability has been classified as Critical according to the ImmuneFi Severity Classification System. It essentially creates an "infinite money glitch" that enables contracts to double the supply of Evmos tokens after each transaction, leading to direct loss of funds' value through artificial inflation of the token supply (Evmos Advisory).

The vulnerability has been patched in Evmos version 18.1.0 and later releases. Users and developers are strongly advised to upgrade to the patched version to prevent potential exploitation (Evmos Advisory).