- Start date14 Mar 2025
- End date19 Mar 2025
- Total awards$16,000 in USDC
- Duration5 days
- Details
Initia Cosmos Mitigation Review
- Total Prize Pool: $16,000 in USDC
- Warden awards: $13,350 in USDC
- Judge awards: $2,400 in USDC
- Scout awards: $250 in USDC
- Warden guidelines for C4 mitigation reviews
- Starts March 14, 2025 20:00 UTC
- Ends March 19, 2025 20:00 UTC
Important note
Each warden must submit a mitigation review for every finding listed in the Scope
section below. Incomplete mitigation reviews will not be eligible for awards.
Findings being mitigated
Mitigations of all High and Medium issues will be considered in-scope and listed here.
- F-10: minievm fails to charge intrinsic gas costs for EVM transactions, allowing the abuse of the accesslist to consume computational resources without proper compensation
- F-11: Explicit gas limit on low-level Solidity calls can be bypassed by dispatched EVM calls via the custom Cosmos precompile
- F-7:
ExecuteRequest
's are not properly removed from the context queue - F-9: JSON-RPC
FilterCriteria.Addresses
are unbound and can be used to DoS the RPC - F-13: EVM stack overflow error leads to no gas being charged, which can be exploited to DoS the chain by dispatching EVM calls via the cosmos precompile
- F-135: Precompiles fail to charge gas in case of an error leading to a DOS vector
- F-3: Wrong handling of ERC20 denoms in
ERC20Keeper::BurnCoins
- F-6: A regular Cosmos SDK message can be disguised as an EVM transaction, causing
ListenFinalizeBlock
to error which prevents the block from being indexed - F-17:
GASLIMIT
opcode returns transaction gas limit instead of block gas limit resulting in incompatibility with the EVM - F-19: Amino legacy signing method broken because of name mismatch
- F-26: MsgCreate2 deviates from EVM spec causing a large range of address not reachable
- F-1: setBeforeSendHook can never delete an existing store due to vulnerable validate
- F-112: IBC channel version negotiation bypass in IBC hooks middleware
- F-61: Pool fraction is not truncated when allocating the tokens allowing to receive more rewards than owed
- F-15: jsonutils precompile missing in access list
Scope
Mitigation of High & Medium Severity Issues
URL | Mitigation of | Purpose |
---|---|---|
Link | F-10 | Intrinsic gas |
Link | F-11 | Introduce to use submsg gas limit |
Link | F-7 | Fix to maintain execute request on snapshot |
Link | F-9 | Add max addresses limit |
Link | F-13 | Change to return exact error only at simulate or checktx |
Link | F-135 | Change to return exact error only at simulate or checktx |
Link | F-3 | Burn coins error |
Link | F-6 | fix: ConvertCosmosTxToEthereumTx to properly check type url |
Link | F-17 | Use block gas limit in block context |
Link 1, Link 2, Link 3 | F-19 | Fix amino |
Link | F-26 | Add salt range check |
Link | F-1 | Delete cosmwasm address validation |
Link | F-112 | Fix to return final version |
Link | F-61 | Use quo truncate at distribution pool fraction calculation |
Link | F-15 | Apply Ottersec audit |
Note: test files are out of scope