The crypto trading company Jump Crypto has reportedly blocked a Cosmos and Ethermint bug. The vulnerable bug in question could have caused an impact to the tune of ‘eight figure’ U.S. dollars, per the decentralized platform Evmos.
It is noteworthy that if the bug operated unnoticed, it would have permitted the hacker to proceed without being questioned by particular smart contract functions, such as protocol handlers. Subsequently, users would have fallen prey to transaction fee expropriation and service denial.
Sharing the breaking news, Evmos tweeted:
🔐 A security vulnerability was recently discovered within Ethermint.
🤝 Thankfully, Evmos acted promptly, collaborating w/ @jump_ and @cronos_chain to resolve the issue safely and securely.
🙌 Ethermint is now safer than ever! pic.twitter.com/yD9JyHhhaK
— Evmos ☄️ (@EvmosOrg) April 13, 2023
Evmos also shared the “technical details of the vulnerability and its resolution” in the disclosure by Jump Crypto. The affected network, Ethermint, facilitates using Ethereum smart contracts in the Cosmo ecosystem. It is utilized by various chains, such as Cronos, Kava, and Canto. Soon after discovering the bug, the Core Development team of Evmos and that of the Cronos worked together with Jump Crypto to mitigate the potential risk.
The implementation of the concerned solution involved deploying a patch that would block transactions with ‘MsgEthereumTx’ (a Cosmos SDK message type) messages—permitting a total diffusion of the attack vector. Fortunately, the concerned networks survived without any exploitative malaise, thereby delivering stability and reliability across the blockchains.
Significantly, Jump Crypto received a well-deserved $25,000 bounty for discovering and disclosing the vulnerability from the Cronos team.
Evmos on its blog post, stated that Jump Crypto later donated the bounty money, quoting:
The Cronos team awarded Jump Crypto a $25,000 bounty for their discovery and disclosure of the vulnerability, which Jump Crypto generously donated to Médecins Sans Frontières (MSF), a globally impactful organization.
As per Evmos, the vulnerability stemmed from the mishandling of transactional messages in implementing Ethermint (in particular the MsgEthereumTx and the MsgExec messages’ interaction).
Notably, the MsgExec message was less secure, permitting the culprit to avoid the ‘EthGasConsumeDecorator’ (that deducts transactional gas fees). The Cosmos SDK (software development kit) uses the MsgExec message to permit the execution of authorized messages to allow account-to-account authorizations.
