CVE-2024-37154: Evmos allows unvested token delegations

June 6, 2024 (updated October 15, 2024)

What kind of vulnerability is it? Who is impacted?

At the moment, users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via ClawbackVestingAccount.

References

github.com/advisories/GHSA-7hrh-v6wp-53vw
github.com/evmos/evmos
github.com/evmos/evmos/security/advisories/GHSA-7hrh-v6wp-53vw
nvd.nist.gov/vuln/detail/CVE-2024-37154
pkg.go.dev/vuln/GO-2024-2904

Code Behaviors & Features

Detect and mitigate CVE-2024-37154 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →