GHSA-m99c-q26r-m7m7: 
vulnerability analysis and mitigation

The vulnerability (GHSA-m99c-q26r-m7m7) affects the Evmos blockchain platform's vesting module, discovered and disclosed on April 17, 2024. This moderate severity vulnerability impacts all versions of Evmos up to and including version 13.0.2. The issue exists in the vesting module functionality of the Evmos blockchain platform, affecting multiple versions of the github.com/evmos/evmos package and its vesting submodule (GitHub Advisory).

The vulnerability allows malicious attackers to create new vesting accounts at specific addresses before contract deployment. This is possible because EVM smart contract addresses are deterministic, enabling potential front-running attacks on contract creation. When an address is initialized without deployed contract code, subsequent contract deployment becomes impossible. The issue has been assigned a moderate severity rating and affects multiple versions of the Evmos platform (GitHub Advisory, Go Vulnerability).

The primary impact of this vulnerability is the potential disruption of smart contract deployments. Malicious actors can prevent smart contracts from being deployed correctly by pre-emptively creating vesting accounts at targeted addresses. This creates a denial-of-service condition for contract deployment operations, potentially affecting the platform's normal operation and user activities (GitHub Advisory).

A new user flow is being implemented as a remediation measure. In the updated flow, only the account receiving the vesting funds will be able to create such an account by calling the CreateClawbackVestingAccount method and defining a funder address. Subsequently, vesting and lockup periods can be created by that funder address using FundClawbackAccount (GitHub Advisory).