Vulnerability in Evmos Allows Drain of All Accounts in the Chain
CVE-2024-39696

8.1HIGH

Key Information:

Vendor: Evmos
Status: Evmos
Vendor: CVE Published:; 5 July 2024

What is CVE-2024-39696?

Evmos, a decentralized Ethereum Virtual Machine chain operating on the Cosmos Network, harbored a vulnerability prior to version 19.0.0, allowing users to set up vesting accounts with a third-party account (either an external owned account or a contract) as the funder. This flaw enabled the creation of unauthorized authorizations linked to the contract.CallerAddress, where funds were withdrawn from the funder’s address without their consent. The exploit could potentially drain all funds from the accounts on the chain, posing significant risks to asset security. This critical issue was remediated in version 19.0.0, urging all users to update promptly.

References

https://github.com/evmos/evmos/security/advisories/GHSA-q...

https://github.com/evmos/evmos/commit/0a620e176617a835ac6...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 5, 2024