Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
🐹 Go

GHSA-5jgq-x857-p8xw

HIGH

Account compromise in Evmos

Also known asCVE-2022-24738GO-2022-0348
Published
Mar 7, 2022
Updated
Aug 21, 2024
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
1.0%probability of exploitation in next 30 days
Lower Risk59th percentile+0.75%
0.00%0.51%1.02%1.53%0.3%1.0%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected
🐹github.com/tharsis/evmos

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Impact

What kind of vulnerability is it? Who is impacted?

Classification

The vulnerability has been classified as critical with a score of 9.0 (highest). It has the potential to affect and drain unclaimed airdrop funds from Cosmos and Osmosis eligible user addresses.

Disclosure

The attack requires advanced knowledge of the internals of the core and application packages of IBC, IBC relayers, the Cosmos SDK AnteHandler, and the Evmos x/claims module. The step-by-step attack is described below:

  1. An actor creates a malicious chain with a custom AnteHandler that skips signature verification for transactions, specifically IBC MsgTransfer. This allows the attacker to impersonate any account by setting a custom sender address field of the IBC transfer message.
  2. The malicious actor then connects this newly created chain via IBC to Evmos and fills the recipient address from the transfer message with an address they control.
  3. Once the IBC packet containing the Transfer data is relayed to Evmos, it is processed by the claims module IBC middleware. Which migrates the claim records to the recipient address, which is owned by the attacker.
  4. The attacker then performs two airdrop Actions, claiming up to 75% of the total initial claimable amount.
  5. The Actor repeats steps 1., 2., and 3. for every address that has unclaimed funds from the airdrop. This automatically claims 75% of the unclaimable amount.
  6. The malicious actor performs the final Action, claiming 100% of all the user funds.
  7. Then, the attacker transfers the funds to another chain with a DEX (Osmosis, Cosmos Hub) via IBC.
  8. Finally, the attacker withdraws the total amount in fiat through a centralized exchange.

Users impacted

No users have suffered the loss of funds as no malicious chains have been connected to Evmos.

Patches

Has the problem been patched? What versions should users upgrade to?

The patch involves defining a list of authorized channels for chains that are connected to Evmos via IBC. This restricts the chains that have the capability of migrating users' claims records as per the specification. By default, the authorized destination channels are "channel-0" (Osmosis) and "channel-3" (Cosmos Hub).

Please upgrade your mainnet node and validator to v2.0.1 ASAP.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No, the fix for the critical vulnerability is state machine breaking. An upgrade procedure must be coordinated with the nodes running the network.

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Thanks to the Core IBC team at Interchain GmbH for the secure disclosure of this vulnerability

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
🐹Gogithub.com/tharsis/evmosall versions2.0.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/tharsis/evmos. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update github.com/tharsis/evmos to 2.0.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-5jgq-x857-p8xw is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-5jgq-x857-p8xw is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-5jgq-x857-p8xw. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Impact _What kind of vulnerability is it? Who is impacted?_ ### Classification The vulnerability has been classified as `critical` with a score of `9.0` (highest). It has the potential to affect and drain unclaimed airdrop funds from Cosmos and Osmosis eligible user addresses. ### Disclosure The attack requires advanced knowledge of the internals of the core and application packages of IBC, IBC relayers, the Cosmos SDK `AnteHandler`, and the Evmos `x/claims` module. The step-by-step attack is described below: 1. An actor creates a malicious chain with a custom `AnteHandler` that skips
O3 Security · Impact-Aware SCA

Is GHSA-5jgq-x857-p8xw in your dependencies?

O3 detects GHSA-5jgq-x857-p8xw across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works