Description
Evmos is a decentralized Ethereum Virtual Machine chain on the Cosmos Network. Prior to version 19.0.0, a user can create a vesting account with a 3rd party account (EOA or contract) as funder. Then, this user can create an authorization for the contract.CallerAddress, this is the authorization checked in the code. But the funds are taken from the funder address provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission. The funder address can be any address, so this vulnerability can be used to drain all the accounts in the chain. The issue has been patched in version 19.0.0.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/evmos/evmos/security/advisories/GHSA-q6hg-6m9x-5g9c
Patch x_refsource_misc
https://github.com/evmos/evmos/commit/0a620e176617a835ac697eea494afea09185dfaf
Scores
CVSS v3
8.8
EPSS
0.0034
EPSS Percentile
56.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-863
Status
published
Products (2)
evmos/evmos
< 19.0.0
evmos/evmos
0 - 19.0.0Go
Published
Jul 05, 2024
Tracked Since
Feb 18, 2026