Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cosmos is an SDK for creating blockchains. Ethermint is a Cosmos blockchain that uses the Go EVM for executing smart contracts under the hood. It is the backbone of Cronos, Kava and Canto as well.

To run an EVM transaction, a user executes MsgEthereumTx. Prior to getting executed on the EVM, Ante Handlers are ran. These are functions that are run on each transaction and check the validity of a given transaction based upon the current context.

Ethermint uses its own Ante Handlers to provide functions like signature verification, gas handling and more within the ecosystem. When processing a transaction with the /ethermint.evm.v1.ExtensionOptionsEthereumTx option, it will go through a large list of decorators. But what if we use a different path? This allows us to execute the code that we want but skip the gas fees.

To fix this problem, Cronos added a check to block all non-ETH Ante Handlers from using this code path. This itself has a bypass though. The Ante Handlers assume that a transaction is being executed on messages. However, Cosmos provides a way to submit messages to the chain without directly embedding them into a transaction. Several of the modules support nested or embedded messages.

To fix this vulnerability, the Ethermint team added an additional Ant Handler that restricts the types of messages inside of an AuthZ message. However, if other modules allow for nested messages, it opens up the possibility for more bugs. This could have been used for a complete bypass of gas or a full on denial of service (DoS) attack.

An interesting bug and attack surface within the Cosmos ecosystem with a wonderful write up.