GHSA-2gw2-qgjg-xh6p: Namada-apps allows Post-Genesis Validator Bypass

February 20, 2025

Ledger crash. A user is able to initialize a post-genesis validator with a negative commission rate using the --force flag. If this validator gets into the consensus set, then when computing PoS inflation inside fn update_rewards_products_and_mint_inflation, an instance of mul_floor will cause the return of an Err, which causes finalize_block to error.

References

github.com/advisories/GHSA-2gw2-qgjg-xh6p
github.com/anoma/namada
github.com/anoma/namada/security/advisories/GHSA-2gw2-qgjg-xh6p

Detect and mitigate GHSA-2gw2-qgjg-xh6p with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →