Share this article
Developers Block Potential ‘Eight-Figure’ Exploit Involving Cosmos-Based Ethermint
Ethermint enables the use of Ethereum smart contracts within the Cosmo ecosystem and is employed by several chains, including Cronos, Kava and Canto.
Updated Apr 14, 2023, 3:06 p.m. Published Apr 14, 2023, 6:36 a.m.
Make us preferred on Google
A recent vulnerability affecting the Cosmos ecosystem and Ethermint was recently discovered by crypto trading firm Jump Crypto and blocked before it could cause an impact of as much as "eight figures" in U.S. dollars, Cosmos developers Evmos told CoinDesk.
The compromised network in this incident was Ethermint, which enables the use of Ethereum smart contracts within the Cosmo ecosystem and is employed by several chains, including Cronos, Kava and Canto.
STORY CONTINUES BELOW
The bug could have potentially allowed an attacker to bypass specific smart contract functions called handlers, leading to transaction fee theft and denial of service to users.
Immediately upon receiving the report, the Evmos Core Development team and the Cronos team collaborated with Jump Crypto to address the issue. The implementation included a patch to block transactions with "MsgEthereumTx" messages, allowing to the elimination of the attack vector.
No malicious exploitation occurred, ensuring the continued stability and reliability of the affected chains.
The Cronos team awarded Jump Crypto a $25,000 bounty for discovering and disclosing the vulnerability.
Evmos said that the root cause of the vulnerability lay in the improper handling of transactional messages in the Ethermint implementation, specifically the interaction between the MsgEthereumTx message and the MsgExec message.
The MsgExec message is used in the Cosmos SDK to allow authorized message execution by allowing one account to grant authorization to another account. However, this feature was not properly secured, allowing the attacker to bypass the ‘EthGasConsumeDecorator,’ which is responsible for deducting gas fees from transactions.
The attacker exploited the vulnerability by embedding a MsgEthereumTx message inside a MsgExec message. This bypassed the EthGasConsumeDecorator, resulting in the attacker not paying gas fees for their transactions.
More For You
Pudgy Penguins is building a multi-vertical consumer IP platform — combining phygital products, games, NFTs and PENGU to monetize culture at scale.
What to know:
Pudgy Penguins is emerging as one of the strongest NFT-native brands of this cycle, shifting from speculative “digital luxury goods” into a multi-vertical consumer IP platform. Its strategy is to acquire users through mainstream channels first; toys, retail partnerships and viral media, then onboard them into Web3 through games, NFTs and the PENGU token.
The ecosystem now spans phygital products (> $13M retail sales and >1M units sold), games and experiences (Pudgy Party surpassed 500k downloads in two weeks), and a widely distributed token (airdropped to 6M+ wallets). While the market is currently pricing Pudgy at a premium relative to traditional IP peers, sustained success depends on execution across retail expansion, gaming adoption and deeper token utility.
More For You
Deus X CEO Tim Grant: We aren't replacing finance; we're integrating it
The Deus X CEO discussed his journey into digital assets, the company's infrastructure-led growth strategy, and why his Consensus Hong Kong panel promises "real talk only."
What to know:
- Tim Grant entered crypto in 2015 after early exposure to Ripple and Coinbase, drawn by blockchain’s ability to improve traditional finance rather than replace it.
- Deus X combines investing and operating to build regulated digital finance infrastructure across payments, prime services, and institutional DeFi.
- Grant will be speaking at Consensus Hong Kong in February.
Top Stories
