CVE-2024-37154 – This vulnerability in Evmos allows users to del... (How to Fix)

📋 TL;DR

This vulnerability in Evmos allows users to delegate tokens that haven't vested yet, specifically affecting employees and grantees with funds in ClawbackVestingAccount. It enables unauthorized delegation of locked funds before they become available to the account holder. The issue impacts Evmos versions 18.1.0 and earlier.

💻 Affected Systems

Products:

Evmos

Versions: 18.1.0 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users with ClawbackVestingAccount types (typically employees and grantees)

📦 What is this software?

Evmos by Evmos

View all CVEs affecting Evmos →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Employees or grantees could delegate their unvested tokens to malicious validators, potentially losing control of funds that should remain locked until vesting conditions are met.

🟠

Likely Case

Accidental or intentional delegation of unvested tokens before they're supposed to be available, disrupting vesting schedules and fund management.

🟢

If Mitigated

Proper access controls and monitoring prevent unauthorized delegation attempts, maintaining intended vesting schedules.

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: MEDIUM with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to an affected ClawbackVestingAccount

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.1.1

Vendor Advisory: https://github.com/evmos/evmos/security/advisories/GHSA-7hrh-v6wp-53vw

Restart Required: Yes

Instructions:

1. Update Evmos to version 18.1.1 or later
2. Restart the Evmos node
3. Verify the update was successful

🔧 Temporary Workarounds

Monitor ClawbackVestingAccount activity

all

Implement monitoring for delegation transactions from ClawbackVestingAccounts

🧯 If You Can't Patch

Implement strict access controls for ClawbackVestingAccount operations
Monitor and alert on any delegation transactions from ClawbackVestingAccounts

🔍 How to Verify

Check if Vulnerable:

Check if running Evmos version 18.1.0 or earlier

Check Version:

evmosd version

Verify Fix Applied:

Verify Evmos version is 18.1.1 or later

📡 Detection & Monitoring

Log Indicators:

Delegation transactions from ClawbackVestingAccount addresses

Network Indicators:

Unusual delegation patterns from employee/grantee accounts

SIEM Query:

transaction_type:delegation AND account_type:ClawbackVestingAccount

📊 Metadata

CVE ID: CVE-2024-37154

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-285

Published: June 6, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/evmos/evmos/security/advisories/GHSA-7hrh-v6wp-53vw Vendor Advisory
https://github.com/evmos/evmos/security/advisories/GHSA-7hrh-v6wp-53vw Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37154, you might also want to check these: