CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39696 – Evmos vulnerable to exploit of smart contract account and vesting
https://notcve.org/view.php?id=CVE-2024-39696
Evmos is a decentralized Ethereum Virtual Machine chain on the Cosmos Network. Prior to version 19.0.0, a user can create a vesting account with a 3rd party account (EOA or contract) as funder. Then, this user can create an authorization for the contract.CallerAddress, this is the authorization checked in the code. But the funds are taken from the funder address provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission. • https://github.com/evmos/evmos/commit/0a620e176617a835ac697eea494afea09185dfaf https://github.com/evmos/evmos/security/advisories/GHSA-q6hg-6m9x-5g9c • CWE-863: Incorrect Authorization •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37159 – Evmos is missing create validator check
https://notcve.org/view.php?id=CVE-2024-37159
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. This vulnerability allowed a user to create a validator using vested tokens to deposit the self-bond. This vulnerability is fixed in 18.0.0. Evmos es el centro de máquinas virtuales Ethereum (EVM) en Cosmos Network. Esta vulnerabilidad permitió a un usuario crear un validador utilizando tokens adquiridos para depositar el autobono. • https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v • CWE-285: Improper Authorization •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37158 – Evmos is missing precompile checks
https://notcve.org/view.php?id=CVE-2024-37158
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Preliminary checks on actions computed by the clawback vesting accounts are performed in the ante handler. Evmos core, implements two different ante handlers: one for Cosmos transactions and one for Ethereum transactions. Checks performed on the two implementation are different. The vulnerability discovered allowed a clawback account to bypass Cosmos ante handler checks by sending an Ethereum transaction targeting a precompile used to interact with a Cosmos SDK module. • https://github.com/evmos/evmos/commit/b2a09ca66613d8b04decd3f2dcba8e1e77709dcb https://github.com/evmos/evmos/security/advisories/GHSA-pxv8-qhrh-jc7v • CWE-691: Insufficient Control Flow Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37154 – Evmos allows unvested token delegations
https://notcve.org/view.php?id=CVE-2024-37154
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. This affects 18.1.0 and earlier. Evmos es el centro de máquinas virtuales Ethereum (EVM) en Cosmos Network. • https://github.com/evmos/evmos/security/advisories/GHSA-7hrh-v6wp-53vw • CWE-285: Improper Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37153 – Evmos's contract balance not updating correctly after interchain transaction
https://notcve.org/view.php?id=CVE-2024-37153
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. There is an issue with how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that is using the contract address as the sender parameter in an ICS20 transfer using the ICS20 precompile. This is in essence the "infinite money glitch" allowing contracts to double the supply of Evmos after each transaction.The issue has been patched in versions >=V18.1.0. Evmos es el centro de máquinas virtuales Ethereum (EVM) en Cosmos Network. • https://github.com/evmos/evmos/commit/478b7a62e7af57a70cf3a01126c7f5a89bee69d7 https://github.com/evmos/evmos/security/advisories/GHSA-xgr7-jgq3-mhmc • CWE-670: Always-Incorrect Control Flow Implementation •