CVE-2024-32873 LOW

CVE-2024-32873: evmos allows transferring unvested tokens after delegations

Vendor Evmos
Product evmos
Weakness CWE-682
Published June 6, 2024
Last update August 2, 2024

CVSS base score

3.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.

Key dates

02Disclosure timeline

June 6, 2024 CVE published
August 2, 2024 Record updated