Page 2 of 9 results (0.015 seconds)

CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0. Evmos es el centro de máquinas virtuales Ethereum (EVM) en Cosmos Network. • https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v • CWE-682: Incorrect Calculation •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Prior to 17.0.0, there is a way to mint arbitrary tokens due to the possibility to have two different states not in sync during the execution of a transaction. The exploit is based on the fact that to sync the Cosmos SDK state and the EVM one, we rely on the `stateDB.Commit()` method. When we call this method, we iterate though all the `dirtyStorage` and, **if and only if** it is different than the `originStorage`, we set the new state. Setting the new state means we update the Cosmos SDK KVStore. • https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/statedb.go#L460-L465 https://github.com/evmos/evmos/commit/08982b5ee726b97bc50eaf58d1914829648b6a5f https://github.com/evmos/evmos/security/advisories/GHSA-3fp5-2xwh-fxm6 • CWE-662: Improper Synchronization •

CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 1

Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that used the identical bytecode (i.e shared the same `CodeHash`) will also stop working once one contract invokes `selfdestruct`, even though the other contracts did not invoke the `selfdestruct` OPCODE. This vulnerability has been patched in Ethermint version v0.18.0. The patch has state machine-breaking changes for applications using Ethermint, so a coordinated upgrade procedure is required. • https://github.com/evmos/ethermint/blob/c9d42d667b753147977a725e98ed116c933c76cb/x/evm/keeper/statedb.go#L199-L203 https://github.com/evmos/ethermint/commit/144741832007a26dbe950512acbda4ed95b2a451 https://github.com/evmos/ethermint/security/advisories/GHSA-f92v-grc2-w2fg • CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. In versions of evmos prior to 2.0.1 attackers are able to drain unclaimed funds from user addresses. To do this an attacker must create a new chain which does not enforce signature verification and connects it to the target evmos instance. The attacker can use this joined chain to transfer unclaimed funds. Users are advised to upgrade. • https://github.com/tharsis/evmos/commit/28870258d4ee9f1b8aeef5eba891681f89348f71 https://github.com/tharsis/evmos/releases/tag/v2.0.1 https://github.com/tharsis/evmos/security/advisories/GHSA-5jgq-x857-p8xw • CWE-287: Improper Authentication •