Advisories for Golang/Github.com/Cosmos/Evm package

Patches Patched in versions v0.3.1, v0.4.2, and in the v0.5.0 release. More information will be disclosed at a later point to ensure chains have time to safely upgrade. Workarounds No workarounds for chains that make use of static or dynamic precompiles. Upgrading is strongly recommended. Testing Tests are introduced in every affected version. Credits Special thanks to @yihuang for the help on this issue.

Setting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state. If executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user without resetting the claimable rewards to 0. The vulnerability could also be used to cause indeterministic execution by failing at other points in the code, …