HIGH🇵🇱 Wersja polska

CVE-2024-39696

CVSS 8.8v3.1pub. 2024-07-05upd. 2025-03-07

Evmos is a decentralized Ethereum Virtual Machine chain on the Cosmos Network. Prior to version 19.0.0, a user can create a vesting account with a 3rd party account (EOA or contract) as funder. Then, this user can create an authorization for the contract.CallerAddress, this is the authorization checked in the code. But the funds are taken from the funder address provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission. The funder address can be any address, so this vulnerability can be used to drain all the accounts in the chain. The issue has been patched in version 19.0.0.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Evmos

    APP
    Evmos
    < 19.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-32644CRITICAL9.1PL ✓ten sam produkt

Evmos: możliwość bicia dowolnych tokenów przez niespójność stanów EVM/Cosmos

CVE-2024-37153HIGH7.5ten sam produkt

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. There is an issue with how to liquid st...

CVE-2022-35936HIGH8.2ten sam produkt

Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` ...

CVE-2022-24738HIGH8.1ten sam produkt

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. In versions of evmos prior to 2.0.1 att...

CVE-2024-37154MEDIUM5.3ten sam produkt

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that ...