CVE-2024-32873

Name of the Vulnerable Software and Affected Versions Evmos versions prior to 18.0.0

Description The issue is related to the spendable balance not being updated properly when delegating vested tokens, allowing a clawback vesting account to anticipate the release of unvested tokens. This problem occurs due to incorrect computation of the spendable balance. For instance, if a clawback vesting account has a vesting schedule of 15M and 5M are vested, the spendable balance should be 0 after delegating 5M, but it remains 5M, enabling the account to send 5M to another account. Additionally, there are issues with missing precompile checks and missing create validator checks, which can be exploited by sending an Ethereum transaction to bypass Cosmos ante handler checks or by creating a validator using vested tokens.

Recommendations For versions prior to 18.0.0, update to version 18.0.0 or later to fix the issue with spendable balance computation, precompile checks, and create validator checks. As a temporary workaround, consider restricting the use of vested tokens for delegations and validator creations until the update is applied.