Assessment reports>Swisstronik>Low findings>The ,EvmDenom, can be updated by the EVM module's ,MsgUpdateParams
Category: Coding Mistakes

The EvmDenom can be updated by the EVM module's MsgUpdateParams

Low Severity
Low Impact
Low Likelihood

Description

The EvmDenom parameter, which determines which Cosmos token is used as the EVM's value, is updatable through the EVM module's MsgUpdateParams message.

Impact

If smart contracts (e.g., vaults) keep track of balances denominated in the native EVM value, they have no way to observe the parameter update in order to invalidate the balance, resulting in incorrect behavior (e.g., incorrect values withdrawn from vaults) as balances accrued in the old token are interpreted according to the new token. However, since MsgUpdateParams can only be called through the Governance module, this could only be exploited with enough Governance votes to pass proposals to issue MsgUpdateParams messages with a modified EvmDenom.

Recommendations

Disallow updating the EvmDenom parameter.

Remediation

This issue has been acknowledged by Sigma Assets GmbH, and a fix was implemented in commit 7bd13cd0.

Zellic © 2025Back to top ↑