Cosmos EVM, State Handling Vulnerability, CVE-2026-ASA002 (Critical)

Listen to this Post

The vulnerability stemmed from incorrect state handling during nested EVM execution paths involving the ICS20 precompile . Under specific execution conditions, state updates performed during recursive or nested calls to the precompile were not correctly reflected in the outer execution context. This inconsistency occurred because the state synchronization mechanism between the EVM and the Cosmos SDK allowed intermediate state changes to persist without proper reversion when execution paths diverged. An attacker could exploit this by crafting a transaction that called a smart contract, which then invoked the ICS20 precompile. During this nested execution, the contract would modify its state, then revert it before the transaction completed. Because the dirtyStorage was compared to originStorage at commit time and found to be identical, the final state changes were never written to the KVStore, even though the precompile operations had already executed and transferred assets . This allowed the attacker to mint or transfer tokens without the corresponding state updates recording the balance deductions, effectively enabling double-spending or unauthorized minting within a single transaction. The Saga network experienced a $7 million loss due to this vulnerability on January 21, 2026 .
Platform: Cosmos EVM
Version: pre-v0.6.0
Vulnerability: State Inconsistency
Severity: Critical
date: March 2026

Prediction: March 2026

What Undercode Say:

Analytics:

The exploit affected chains running Cosmos EVM implementations with the ICS20 precompile enabled. Fifteen chains were identified as running vulnerable code, with six chains unaffected because the feature was disabled. One chain (Saga) suffered a $7 million loss before mitigation . The remaining chains implemented mitigations before exploitation occurred.

Bash/Codes:

Check if chain is running vulnerable version
cosmovisor version | grep "evm"
Disable ICS20 precompile as immediate mitigation
Add to app.toml or config.yml
evm:
precompiles:
disable:
- "ics20"
Verify ICS20 precompile address (0x0000000000000000000000000000000000000802)
cast call 0x0000000000000000000000000000000000000802 "supportsInterface(bytes4)" "0x01ffc9a7" --rpc-url $RPC_URL
Upgrade to patched version v0.6.0
go get github.com/cosmos/[email protected]
go mod tidy
// Vulnerable pattern - nested precompile call with state revert
function exploitPattern() external {
stateVar = 100; // State A -> B
ICS20_PRECOMPILE.transfer(params); // Executes with state B
stateVar = 0; // Revert to A (original)
// Final commit sees A == originStorage, skips write
// But transfer already happened
}
// Fixed implementation pattern
function fixedImplementation() external {
// Precompile calls now wrapped in atomic functions
(bool success, bytes memory result) = p.RunAtomic(...);
require(success, "Atomic execution failed");
}

How Exploit:

  1. Attacker deployed malicious smart contract targeting ICS20 precompile
  2. Contract initiated cross-chain transfer via precompile at 0x0802
  3. During nested execution, contract modified and then reverted its own state
  4. StateDB.Commit() compared dirtyStorage with originStorage – found them equal

5. KVStore update skipped because storage appeared unchanged

  1. Precompile execution already transferred assets but balance deduction never persisted
  2. Attacker repeated process to mint ~$7M in Saga Dollar without collateral
  3. Stolen assets bridged to Ethereum and swapped to ETH
  4. Funds later deposited into Tornado Cash for obfuscation

Protection from this CVE:

  • Upgrade to Cosmos EVM v0.6.0 or later
  • Disable ICS20 precompile if not required for operations
  • Wrap precompile executions in atomic functions that revert state on error
  • Implement RevertMultiStore function to handle nested execution paths
  • Validate that precompile state changes are properly committed before external calls
  • Add monitoring for unusual cross-chain transfer patterns
  • Conduct fuzz testing focused on complex execution paths and nested calls
  • Regular security audits of precompile implementations

Impact:

  • Financial Loss: ~$7 million stolen from Saga network
  • Stablecoin Depeg: Saga Dollar dropped to $0.75
  • TVL Impact: Saga TVL fell from $37M to $16M within 24 hours
  • Network Disruption: SagaEVM paused at block 6,593,800
  • Ecosystem Reach: 15 chains identified as vulnerable; 6 had feature disabled; remaining chains patched before exploitation
  • Trust Impact: Eroded confidence in Cosmos EVM precompile security
  • Remediation Cost: Development and coordination efforts across multiple ecosystem teams including Saga, B-Harvest, Mantra, Zellic, and Sherlock

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top