Assessment reportsPublic findings
Back to Zellic siteBack
Assessment reports>Swisstronik>Low findings>The ,EvmDenom, can be updated by the EVM module's ,MsgUpdateParams
GeneralOverview
Findings
High (1)
Medium (3)
Low (4)Unbounded originalData can be providedThe EvmDenom can be updated by the EVM module's MsgUpdateParamsPotential division by zero in fee_checkerPotential overflow in fee_checker
Informational (1)
DiscussionInstallation stepsThe go-ethereum precompile tests
Audit ResultsAssessment Results
Category: Coding Mistakes

The EvmDenom can be updated by the EVM module's MsgUpdateParams

Low Impact
Low Severity
Low Likelihood

Description

The EvmDenom parameter, which determines which Cosmos token is used as the EVM's value, is updatable through the EVM module's MsgUpdateParams message.

Impact

If smart contracts (e.g., vaults) keep track of balances denominated in the native EVM value, they have no way to observe the parameter update in order to invalidate the balance, resulting in incorrect behavior (e.g., incorrect values withdrawn from vaults) as balances accrued in the old token are interpreted according to the new token. However, since MsgUpdateParams can only be called through the Governance module, this could only be exploited with enough Governance votes to pass proposals to issue MsgUpdateParams messages with a modified EvmDenom.

Recommendations

Disallow updating the EvmDenom parameter.

Remediation

This issue has been acknowledged by Sigma Assets GmbH, and a fix was implemented in commit 7bd13cd0.

Zellic © 2025Back to top ↑