Share this article
Developers Block Potential ‘Eight-Figure’ Exploit Involving Cosmos-Based Ethermint
Ethermint enables the use of Ethereum smart contracts within the Cosmo ecosystem and is employed by several chains, including Cronos, Kava and Canto.
Updated Apr 14, 2023, 3:06 p.m. Published Apr 14, 2023, 6:36 a.m.
A recent vulnerability affecting the Cosmos ecosystem and Ethermint was recently discovered by crypto trading firm Jump Crypto and blocked before it could cause an impact of as much as "eight figures" in U.S. dollars, Cosmos developers Evmos told CoinDesk.
The compromised network in this incident was Ethermint, which enables the use of Ethereum smart contracts within the Cosmo ecosystem and is employed by several chains, including Cronos, Kava and Canto.
STORY CONTINUES BELOW
The bug could have potentially allowed an attacker to bypass specific smart contract functions called handlers, leading to transaction fee theft and denial of service to users.
Immediately upon receiving the report, the Evmos Core Development team and the Cronos team collaborated with Jump Crypto to address the issue. The implementation included a patch to block transactions with "MsgEthereumTx" messages, allowing to the elimination of the attack vector.
No malicious exploitation occurred, ensuring the continued stability and reliability of the affected chains.
The Cronos team awarded Jump Crypto a $25,000 bounty for discovering and disclosing the vulnerability.
Evmos said that the root cause of the vulnerability lay in the improper handling of transactional messages in the Ethermint implementation, specifically the interaction between the MsgEthereumTx message and the MsgExec message.
The MsgExec message is used in the Cosmos SDK to allow authorized message execution by allowing one account to grant authorization to another account. However, this feature was not properly secured, allowing the attacker to bypass the ‘EthGasConsumeDecorator,’ which is responsible for deducting gas fees from transactions.
The attacker exploited the vulnerability by embedding a MsgEthereumTx message inside a MsgExec message. This bypassed the EthGasConsumeDecorator, resulting in the attacker not paying gas fees for their transactions.
More For You
What to know:
- As of October 2025, GoPlus has generated $4.7M in total revenue across its product lines. The GoPlus App is the primary revenue driver, contributing $2.5M (approx. 53%), followed by the SafeToken Protocol at $1.7M.
- GoPlus Intelligence's Token Security API averaged 717 million monthly calls year-to-date in 2025 , with a peak of nearly 1 billion calls in February 2025. Total blockchain-level requests, including transaction simulations, averaged an additional 350 million per month.
- Since its January 2025 launch , the $GPS token has registered over $5B in total spot volume and $10B in derivatives volume in 2025. Monthly spot volume peaked in March 2025 at over $1.1B , while derivatives volume peaked the same month at over $4B.
More For You
NFT Project Pudgy Penguins Takes Over Las Vegas Sphere in Holiday Campaign
The NFT brand’s animated segments will air on the Sphere across Christmas week, signaling the crypto company's move into real-world consumer markets.
What to know:
- Pudgy Penguins will run an ad campaign at the Las Vegas Sphere during Christmas week, one of the few crypto brands to secure a spot at the high-profile venue.
- The NFT project, which launched on Ethereum in 2021, has expanded into physical toys and digital gaming as part of a broader consumer push.
- Pudgy Penguins briefly overtook Bored Apes in floor price earlier this year and recently launched its PENGU token on Solana, now trading on major exchanges.
Top Stories
