CVE-2024-39696

Name of the Vulnerable Software and Affected Versions Evmos versions prior to 19.0.0

Description The issue allows a user to create a vesting account with a 3rd party account as funder without its permission. This is possible because the authorization checked in the code is for the contract.CallerAddress, but the funds are taken from the funder address provided in the message. Consequently, the user can fund a vesting account with a 3rd party account without its permission, potentially draining all accounts in the chain.

Recommendations For versions prior to 19.0.0, update to version 19.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vesting account creation feature to minimize the risk of exploitation. Avoid using the funder address parameter in the affected API endpoint until the issue is resolved.