CVE-2024-39696: 
vulnerability analysis and mitigation

CVE-2024-39696 affects Evmos, a decentralized Ethereum Virtual Machine chain on the Cosmos Network. The vulnerability was discovered in versions prior to 19.0.0, where users could create a vesting account with a third-party account as funder and exploit an authorization check flaw. The issue was disclosed on July 5, 2024, and patched in version 19.0.0 (Vendor Advisory).

The vulnerability stems from an improper authorization check in the fundVestingAccount function. A user could create a vesting account designating a third-party account (either an Externally Owned Account or contract) as the funder. While the code checks authorization for the contract.CallerAddress, the actual funds are taken from the funder address specified in the message. This implementation flaw allows unauthorized fund transfers from any address on the chain (Security Online, Vendor Advisory).

The vulnerability was classified as Critical according to the ImmuneFi Severity Classification System. It could potentially be exploited to drain funds from any account on the Evmos blockchain, leading to a total loss of funds across the entire chain (Security Online).

The vulnerability has been patched in Evmos version 19.0.0. Users and organizations running affected versions should upgrade immediately to the patched version to prevent potential exploitation (Vendor Advisory).