CVE-2024-32873

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-32873

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-32873.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-32873

Aliases

Published

2024-06-06T18:13:54.267Z

Modified

2025-12-05T04:20:14.496368Z

Severity

3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator

Summary

evmos allows transferring unvested tokens after delegations

Details

Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. The spendable balance is not updated properly when delegating vested tokens. The issue allows a clawback vesting account to anticipate the release of unvested tokens. This vulnerability is fixed in 18.0.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/32xxx/CVE-2024-32873.json",
    "cwe_ids": [
        "CWE-682"
    ]
}

References

Affected packages

Git / github.com/evmos/evmos

Affected ranges

Type: GIT
Repo: https://github.com/evmos/evmos
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

2f9b757e89be8345134d70f805683830b32aa479

Affected versions

v16.*

v16.0.0

v16.0.0-rc1

v16.0.0-rc2

v16.0.0-rc2.1

v16.0.0-rc4

v16.0.0-rc5

v16.0.1

v16.0.2

v16.0.3

v17.*

v17.0.0