CVE-2024-32873

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.

Evmos is missing create validator check in github.com/evmos/evmos

## Impact This advisory has been created to address the following vulnerabilities found in the Evmos codebase and affecting vesting accounts. ### Wrong spendable balance computation The spendable balance is not updated properly when delegating vested tokens. The following example help in describing the issue: - Given a clawback vesting account with a starting `15M` vesting schedule. The initial spendable balance is `0`. - Time passes and `5M` are vested. The spendable balance is now `5M`. - The account delegate `5M`. The spendable balance should be `0`, but returns `5M` - The account can send `5M` to another account. The issue allowed a clawback vesting account to anticipate the release of unvested tokens. ### Missing precompile checks Preliminary checks on actions computed by the clawback vesting accounts are performed in the ante handler. Evmos core, implements two different ante handlers: one for Cosmos transactions and one for Ethereum transactions. Checks performed on the two implementation are different. The vulnerability discovered allowed a clawback account to bypass Cosmos ante handler checks by sending an Ethereum transaction targeting a precompile used to interact with a Cosmos SDK module. ### Missing create validator check This vulnerability allowed a user to create a validator using vested tokens to deposit the self-bond. ## Patches - The spendable balance function has been fixed correcting the `TrackDelegation` function. - The checks for the staking module, for the delegation and the create validator, has been moved into the `MsgServer` of a wrapper around the Cosmos SDK staking module. The issues have been patched in versions >=V18.0.0. ## References 1. [Evmos vesting module](https://docs.evmos.org/protocol/modules/vesting) ## For more information If you have any questions or comments about this advisory: Reach out to the Core Team in [Discord](https://discord.gg/evmos) Open a discussion in [evmos/evmos](https://github.com/evmos/evmos/discussions) Email us at [security@evmos.org](mailto:security@evmos.org) for security questions

Evmos es el centro de máquinas virtuales Ethereum (EVM) en Cosmos Network. El saldo gastable no se actualiza correctamente al delegar tokens adquiridos. El problema permite que una cuenta de recuperación de derechos anticipe la liberación de tokens no adquiridos. Esta vulnerabilidad se solucionó en 18.0.0.