$150,000 Evmos Vulnerability Through Reading Documentation

Evmos and Cosmos Blockchains

The Evmos blockchain is built using the Cosmos modular blockchain framework which allows you to spin up entire application specific blockchains fairly easily. This framework is built using the Golang programming language which can be a totally different experience for those coming from a Solidity based security background. That being said, with a good week or two of study and testing out Cosmos for yourself, it’s fairly easy to learn.

Now that we’ve covered that, let’s see how I found a critical Evmos bug by simply reading the Cosmos documentation.

Cosmos Documentation

The Cosmos framework offers comprehensive documentation designed to get developers up to speed quickly. As any diligent Web3 security researcher would, my first step was to review the Cosmos documentation, since it’s the foundation for Evmos. Through this, I began to learn about the Cosmos module system, which provides essential blockchain functionality. For instance, the bank module includes out-of-the-box capabilities for transferring funds between accounts.

While exploring the bank module further, an intriguing concept emerged: “module accounts.” These accounts perform specific tasks tied to the module, but should often never receive funds. The documentation explains this more effectively than I can.

The x/bank module accepts a map of addresses that are considered blocklisted from directly and explicitly receiving funds.

Typically, these addresses are module accounts. If these addresses receive funds outside the expected rules of the state machine, invariants are likely to be broken and could result in a halted network.

Now by reading this snippet from the Cosmos documentation, a good security researcher might think, “They literally just told me how to break a Cosmos blockchain”. So… let’s try it.

The Bug

Let’s see if we can send funds to a module account that should not accept funds, in order to break blockchain invariants and in effect halt the entire Evmos blockchain. Here are the steps needed in order to test such a bug.

1. Clone the github repo containing the Evmos blockchain code.

2. Typically in Cosmos blockchains you would need to follow certain steps in order to get the blockchain running properly. These steps are usually the same and include commands to initialize the blockchain, add funded genesis accounts, generate genesis transactions, collect those genesis transactions, and finally start the blockchain. These commands usually look something like this.

Thankfully, Evmos already had a script to do these commands for you, so I just ran the evmosd start command with specific parameters in order to get the blockchain running and creating blocks.

3. Open up another terminal while the chain is running and run the below command to send funds to the distribution module account which should not be allowed in a secure Cosmos blockchain. All module account addresses can be seen by running the evmosd query auth accounts command in another terminal while the chain is running. To grab the mykey account which is the account the chain starts with, type the evmosd keys list command while the chain is running and you will see the mykey account address beginning with the prefix evmos.

4. The previous step actually allowed me to send funds to the distribution module account resulting in the following error: ERR CONSENSUS FAILURE!!! err=”invariant broken: distribution. At this point no more blocks are being produced and the chain has completed halted. This breaks the Evmos blockchain and all the dApps built on it. This bug has of course since been fixed by the Evmos team.

The Reward

The result of this relatively simple bug was a nice $150,000 bug bounty for a critical finding. This bug taught me a few important things as a security researcher. The first, and most obvious, is to always thoroughly read the documentation of the project you’re investigating. The second, more profound lesson for me was that sometimes the most critical bugs can be extremely simple. The third is that we don’t always have to make bug bounties harder than they need to be. And finally, while searching for complex vulnerabilities, we must never forget to check for the low-hanging fruit.

I want to thank Immunefi and the Evmos team for their cooperation during this bug submission and I look forward to further giving back to the Web3 security community that has given me so much.

This article will be the first of many where I share my insights on all things Web3 related so be sure to follow me on twitter as there are big announcements coming soon.