8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39696

GHSA ID

GHSA-q6hg-6m9x-5g9c

EPSS Score

0.30022%

CWE

CWE-863

Published

7/10/2024

Updated

8/9/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39696

CVE-2024-39696: Evmos vulnerable to exploit of smart contract account and vesting

Summary

This advisory board aims to describe two vulnerabilities found in the Evmos codebase:

Authorization check on the fundVestingAccount: unauthorized spend of funds.

Details

Authorization check on the fundVestingAccount

With the current implementation, a user can create a vesting account with a 3rd party account (EOA or contract) as funder. Then, this user can create an authorization for the contract.CallerAddress, this is the authorization checked in the code. But the funds are taken from the funder address provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission. The funder address can be any address, so this vulnerability can be used to drain all the accounts in the chain.

Severity

Based on ImmuneFi Severity Classification System the severity was evaluated to Critical since the attack could have lead to direct loss of funds.

Patches

The issue has been patched in versions >=V19.0.0

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-39696

GHSA ID

GHSA-q6hg-6m9x-5g9c

EPSS Score

0.30022%

CWE

CWE-863

Published

7/10/2024

Updated

8/9/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/evmos/evmos/v18	go	<= 18.0.1	19.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper authorization checks in the fundVestingAccount function. The original implementation validated the contract caller's authorization but used the message-specified funder address for actual fund transfers. This mismatch allowed attackers to create vesting accounts with arbitrary funders without proper authorization. The patch added critical validation that restricts the funder to either the transaction origin (EOA) or the contract caller when invoked through a smart contract, addressing the improper authorization (CWE-863).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T*is **visory *o*r* *ims to **s*ri** two vuln*r**iliti*s *oun* in t** *vmos *o****s*: - _*ut*oriz*tion ****k on t** *un*V*stin****ount_: un*ut*oriz** sp*n* o* *un*s. ### **t*ils #### *ut*oriz*tion ****k on t** *un*V*stin****ount Wit*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *ut*oriz*tion ****ks in t** `*un*V*stin****ount` *un*tion. T** ori*in*l impl*m*nt*tion v*li**t** t** *ontr**t **ll*r's *ut*oriz*tion *ut us** t** m*ss***-sp**i*i** *un**r ***r*ss *or **tu*l *un* tr*ns**rs. T*is

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-39696: Evmos vulnerable to exploit of smart contract account and vesting

Summary

Details

Authorization check on the fundVestingAccount

Severity

Patches

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI