Gatom22

**Name of the Vulnerable Software and Affected Versions** Evmos versions prior to 19.0.0 **Description** The issue allows a user to create a vesting account with a 3rd party account as funder without its permission. This is possible because the authorization checked in the code is for the `contract.CallerAddress`, but the funds are taken from the `funder address` provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission, potentially draining all accounts in the chain. **Recommendations** For versions prior to 19.0.0, update to version 19.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vesting account creation feature to minimize the risk of exploitation. Avoid using the `funder address` parameter in the affected API endpoint until the issue is resolved.