CVE-2024-37159

Name of the Vulnerable Software and Affected Versions Evmos versions prior to 18.0.0

Description The issue concerns the Evmos codebase, specifically affecting vesting accounts. It involves three main problems: wrong spendable balance computation, missing precompile checks, and missing create validator check. The wrong spendable balance computation occurs when delegating vested tokens, allowing a clawback vesting account to anticipate the release of unvested tokens. The missing precompile checks enable a clawback account to bypass Cosmos ante handler checks by sending an Ethereum transaction targeting a precompile used to interact with a Cosmos SDK module. The missing create validator check allowed a user to create a validator using vested tokens to deposit the self-bond.

Recommendations For versions prior to 18.0.0, update to version 18.0.0 or later to fix the spendable balance function and implement the necessary checks for the staking module, delegation, and create validator. As a temporary workaround, consider restricting the use of vested tokens for delegations and creating validators until the update is applied. Avoid using the TrackDelegation function in the affected versions until the issue is resolved.