CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32873 – evmos allows transferring unvested tokens after delegations
https://notcve.org/view.php?id=CVE-2024-32873
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0. Evmos es el centro de máquinas virtuales Ethereum (EVM) en Cosmos Network. • https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v • CWE-682: Incorrect Calculation •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32644 – Evmos' transaction execution not accounting for all state transition after interaction with precompiles
https://notcve.org/view.php?id=CVE-2024-32644
Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Prior to 17.0.0, there is a way to mint arbitrary tokens due to the possibility to have two different states not in sync during the execution of a transaction. The exploit is based on the fact that to sync the Cosmos SDK state and the EVM one, we rely on the `stateDB.Commit()` method. When we call this method, we iterate though all the `dirtyStorage` and, **if and only if** it is different than the `originStorage`, we set the new state. Setting the new state means we update the Cosmos SDK KVStore. • https://github.com/evmos/evmos/blob/b196a522ba4951890b40992e9f97aa610f8b5f9c/x/evm/statedb/statedb.go#L460-L465 https://github.com/evmos/evmos/commit/08982b5ee726b97bc50eaf58d1914829648b6a5f https://github.com/evmos/evmos/security/advisories/GHSA-3fp5-2xwh-fxm6 • CWE-662: Improper Synchronization •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 1CVE-2022-35936 – Ethermint DoS through Unintended Contract Selfdestruct
https://notcve.org/view.php?id=CVE-2022-35936
Ethermint is an Ethereum library. In Ethermint running versions before `v0.17.2`, the contract `selfdestruct` invocation permanently removes the corresponding bytecode from the internal database storage. However, due to a bug in the `DeleteAccount`function, all contracts that used the identical bytecode (i.e shared the same `CodeHash`) will also stop working once one contract invokes `selfdestruct`, even though the other contracts did not invoke the `selfdestruct` OPCODE. This vulnerability has been patched in Ethermint version v0.18.0. The patch has state machine-breaking changes for applications using Ethermint, so a coordinated upgrade procedure is required. • https://github.com/evmos/ethermint/blob/c9d42d667b753147977a725e98ed116c933c76cb/x/evm/keeper/statedb.go#L199-L203 https://github.com/evmos/ethermint/commit/144741832007a26dbe950512acbda4ed95b2a451 https://github.com/evmos/ethermint/security/advisories/GHSA-f92v-grc2-w2fg • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24738 – Account compromise in Evmos
https://notcve.org/view.php?id=CVE-2022-24738
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. In versions of evmos prior to 2.0.1 attackers are able to drain unclaimed funds from user addresses. To do this an attacker must create a new chain which does not enforce signature verification and connects it to the target evmos instance. The attacker can use this joined chain to transfer unclaimed funds. Users are advised to upgrade. • https://github.com/tharsis/evmos/commit/28870258d4ee9f1b8aeef5eba891681f89348f71 https://github.com/tharsis/evmos/releases/tag/v2.0.1 https://github.com/tharsis/evmos/security/advisories/GHSA-5jgq-x857-p8xw • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-43839 – Drainage of FeeCollector's Block Transaction Fees
https://notcve.org/view.php?id=CVE-2021-43839
Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are no tested workarounds. All validator node operators are recommended to upgrade to Cronos v0.6.5 at their earliest possible convenience. • https://github.com/crypto-org-chain/cronos/commit/150ef237b37ac28c8136e1c0f494932860b9ebe8 https://github.com/crypto-org-chain/cronos/pull/270 https://github.com/crypto-org-chain/cronos/security/advisories/GHSA-f854-hpxv-cw9r • CWE-670: Always-Incorrect Control Flow Implementation •