CVE-2024-37158

Name of the Vulnerable Software and Affected Versions Evmos versions prior to 18.0.0

Description The issue concerns a vulnerability in Evmos, specifically affecting vesting accounts. It involves incorrect computation of spendable balance when delegating vested tokens, allowing a clawback account to anticipate the release of unvested tokens. Additionally, preliminary checks on actions computed by the clawback vesting accounts are performed differently in the ante handlers for Cosmos and Ethereum transactions. This discrepancy allowed a clawback account to bypass Cosmos ante handler checks by sending an Ethereum transaction targeting a precompile used to interact with a Cosmos SDK module. Furthermore, a user could create a validator using vested tokens to deposit the self-bond due to missing checks.

Recommendations For versions prior to 18.0.0, update to version 18.0.0 or later to fix the issues with spendable balance computation, precompile checks, and create validator checks. As a temporary workaround, consider restricting the use of vested tokens for delegations and validator creation until the update is applied. Avoid using the TrackDelegation function in the affected versions until the fix is implemented. Restrict access to the precompile used to interact with the Cosmos SDK module to minimize the risk of exploitation.