CVE-2024-39696: Critical Vulnerability Exposed Evmos Network to Potential Total Loss of Funds
The Evmos project, renowned for being the first decentralized Ethereum Virtual Machine (EVM) chain on the Cosmos Network, has issued a critical security advisory concerning a severe vulnerability in its codebase. Identified as CVE-2024-39696, this flaw poses a significant risk to the security of funds across the entire Evmos blockchain.
Evmos, the flagship implementation of Ethermint, an EVM library designed for the Cosmos Network by the Evmos Core Development Team, focuses on native, cross-chain applications. This innovative platform, however, has encountered a critical security issue that threatens the integrity and security of its smart contract accounts and vesting mechanisms.
The vulnerability centers around the authorization check on the fundVestingAccount function. In its current implementation, a user can create a vesting account with a third-party account (either an Externally Owned Account or a contract) as the funder. Here’s how the exploit works:
- Vesting Account Creation: A user creates a vesting account and designates a third-party account as the funder.
- Authorization Exploit: The user can then create an authorization for the
contract.CallerAddress, which is the authorization checked in the code. - Unauthorized Fund Transfer: Despite the authorization check, the funds are taken from the funder address specified in the message. This allows the user to fund a vesting account with funds from a third-party account without the owner’s permission.
This exploit can potentially drain all the accounts on the Evmos chain, leading to substantial financial losses.
According to the ImmuneFi Severity Classification System, the severity of CVE-2024-39696 has been classified as Critical. The potential for unauthorized fund transfers and direct financial loss makes this vulnerability particularly dangerous.
The Evmos Core Development Team has acted swiftly to address this critical issue. A patch will be released in versions V19.0.0 and later, which resolves the vulnerability by ensuring proper authorization checks and preventing unauthorized fund transfers.
