GHSA-mjfq-3qr2-6g84: 
vulnerability analysis and mitigation

The vulnerability (GHSA-mjfq-3qr2-6g84) affects Cosmos EVM version 0.1.0, discovered and disclosed in May 2025. This critical security flaw allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state. The vulnerability has a CVSS v4 base score of 8.3 (High severity) and affects any evmOS or Cosmos EVM chain using precompiles (GitHub Advisory, Wiz Advisory).

The vulnerability occurs when setting lower EVM call gas, which enables partial execution of precompiles without proper state reversion. The issue has attack vectors including Network accessibility, Low attack complexity, and No privileges required. The vulnerability specifically impacts the integrity of the system while maintaining normal confidentiality levels (GitHub Advisory).

If exploited, this vulnerability could cause funds to be transferred to a user without resetting the claimable rewards to 0 when executed on the distribution precompile during fund claiming. Additionally, it could lead to indeterministic execution by failing at various points in the code, potentially causing validator halts (GitHub Advisory).

The vulnerability has been patched by implementing an atomic function that reverts any partially committed state on error. The fix involves wrapping each precompile execution in a RunAtomic function and modifying several core files including x/evm/statedb.go, x/evm/statedb/journal.go, and precompiles/common/precompile.go. There are no workarounds available for chains using precompiles, necessitating a coordinated upgrade to implement the patch (GitHub Advisory).