The web3 and blockchain ecosystem continues to evolve, with interoperability between major ecosystems like Ethereum’s Virtual Machine (EVM) and the Cosmos network emerging as critical infrastructure.
CertiK‘s recent insights aim to delve into this convergence, analyzing it through the framework of layered blockchain architecture—a model that gained traction after Ethereum‘s pivotal Merge in 2022.
The CertiK research reports scrutinize technical integrations, uncovers vulnerabilities, and proposes security enhancements, offering guidance for developers and projects aiming to bridge these ecosystems.
CertiK researchers extensively examine early integration efforts, using EVMOS (formerly Ethermint) as a primary case study.
EVMOS embeds the EVM directly as a Cosmos SDK module, enabling Ethereum-compatible smart contracts on Cosmos chains.
This dual-stack approach processes two transaction types: EVM transactions, which mimic Ethereum’s execution environment via a go-ethereum runtime, and native Cosmos transactions routed through message type URLs.
However, CertiK highlights stark discrepancies in gas mechanics—EVM’s refund system versus Cosmos’s full-cost model—creating opportunities for exploitation.
Key vulnerabilities include direct bypasses of the EthAnteHandler, where attackers submit Cosmos transactions with MsgEthereumTx messages lacking required extensions, evading fee deductions.
CertiK’s code analysis reveals various flaws, such as in evmos’s ante handlers.
The update from CertiK points out EVMOS’s planned deprecation of Cosmos transactions by late 2024 for full EVM alignment but warns of the maintenance burden in hybrid setups, foreshadowing a shift to layered architectures.
Building on this, CertiK research team members go on to explore a more sophisticated interaction method: using EVM transactions to interface with Cosmos SDK modules via custom precompiled contracts.
These stateful precompiles—extending EVM’s built-in functions for hashing or cryptography—allow operations like staking, governance, and fund transfers directly from smart contracts.
The workflow initializes shared states between EVM and Cosmos, executing transactions that alter SDK modules such as staking or bank.
While this boosts interoperability for decentralized applications, CertiK identifies severe security risks from state inconsistencies.
Furthermore, the analysis from the blockchain security firm underscores precompiles’ potential for complex dApps but stresses rigorous state synchronization.
The insights from CertiK culminate by pivoting to layered architectures post-Ethereum Merge, separating the Consensus Layer (CL) and Execution Layer (EL).
Ethereum’s EL handles EVM transactions via clients like Geth, while the CL manages Proof-of-Stake consensus with Gasper FFG using Prysm or Lighthouse.
The Engine API bridges them, facilitating block proposals and validations, as detailed in the Shanghai Spec’s methods.
In addition to these insights, CertiK examines interoperability enhancements, including consensus swaps via Engine API v5 (expected Q4 2025 with Fusaka).
Projects like Berachain and Story Protocol replace Gasper with CometBFT—a BFT engine from Cosmos—for instant finality, using BeaconKit middleware.
Yet, security concerns arise: for instance, the inappropriate error handling in CometBFT’s ProcessProposal accepts invalid payloads, processing faulty EVM transactions or missing blob sidecars.
Drawing from Berachain’s Cantina Competition Report, CertiK recommends rejecting execution errors and enhancing duplicate checks to bolster resilience.
Overall, CertiK’s updates highlight the EVM-Cosmos convergence’s aim for scalable, interoperable blockchains while exposing dual-stack pitfalls like fee theft and state desyncs.
Layered designs offer flexibility, but as seen in EVMOS evolutions and consensus innovations, security must prioritize consistency and atomicity.
With vulnerabilities patched in projects like evmos and Berachain, this research aims to equip the ecosystem to navigate convergence safely, fostering tech advancements without compromising integrity.