Evmos allows unvested token delegations

Vulnerability

Description

CVE-2024-37154 is a vulnerability in Evmos, the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network, affecting versions 18.1.0 and earlier. The flaw permits users to delegate tokens that have not yet vested when using the ClawbackVestingAccount module [1][2]. This bypasses intended vesting schedules, allowing premature use of funds designated for gradual release.

Attack

Vector

An employee or grantee with a ClawbackVestingAccount can delegate unvested tokens to validators, effectively using locked funds for staking rewards before they are legally available [2]. The exploit requires no special privileges beyond access to the account; it can be triggered via standard CLI commands for vesting account creation and staking delegation [2].

Impact

Successful exploitation undermines token vesting controls, enabling beneficiaries to gain staking rewards on unvested tokens and potentially withdraw staked positions if unstaking is also permitted. This could result in financial loss for the protocol or its grantors, as employees and grantees may claim benefits before fulfilling vesting conditions.

Mitigation

As of the advisory, no official patch has been released for Evmos itself. The developers have identified a partial fix in a pull request, with the remainder dependent on a Cosmos SDK fork update [2]. There are no effective workarounds, and the recommendation is to limit knowledge of the vulnerability pending a full release.