Advisories for Golang/Github.com/Cosmos/Evm package

On January 21, 2026, Cosmos Labs was notified of suspicious activity on a network running the affected implementation. The issue resulted in financial loss on the Saga EVM network. After confirming the vulnerability, Cosmos Labs coordinated with the affected chain team and ecosystem partners to investigate the issue, deploy mitigations, and assist other chains running the affected code. Cosmos Labs contacted chains known to be running versions containing the affected …

Patches Patched in versions v0.3.1, v0.4.2, and in the v0.5.0 release. More information will be disclosed at a later point to ensure chains have time to safely upgrade. Workarounds No workarounds for chains that make use of static or dynamic precompiles. Upgrading is strongly recommended. Testing Tests are introduced in every affected version. Credits Special thanks to @yihuang for the help on this issue.

Setting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state. If executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user without resetting the claimable rewards to 0. The vulnerability could also be used to cause indeterministic execution by failing at other points in the code, …