CVE-2024-32873 evmos allows transferring unvested tokens after delegations

2024-06-0618:13:54

CWE-682

GitHub_M

github.com

cve-2024-32873

evmos

ethereum virtual machine

cosmos network

unvested tokens

delegations

spendable balance

clawback vesting account

fixed in 18.0.0

3.5 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

6.6 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.1%

JSON

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.

CNA Affected

[
  {
    "vendor": "evmos",
    "product": "evmos",
    "versions": [
      {
        "version": "< 18.0.0",
        "status": "affected"
      }
    ]
  }
]