GMS-2023-1810: cheqd-node subject to Cosmos SDK "Barberry" vulnerability

Impact

This vulnerability dubbed “Barberry” affects the Cosmos SDK framework used by cheqd-node as base.

It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework.

There is no vulnerability in the DID/resource modules for cheqd-node.

Patches

Node operators are requested to upgrade to cheqd-node v1.4.4. This is not a state-breaking release and does not require a coordinated upgrade across all node operators.

This vulnerability was patched in Cosmos SDK v0.46.13. Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was backported to cheqd’s fork of Cosmos SDK.

Mitigation

When at least ~33% of the voting power of the network has deployed the recommended version of the software, any attack would be unsuccessful but cause a chain halt.

Once at least ~67% of the voting power of the network has deployed recommended version of the software, the attack would be unsuccessful without a chain halt.

Workarounds

No. Node operators are recommended to upgrade to the latest release version.

References

• “Barberry” vulnerability security advisory
• Cosmos SDK v0.46.13 release notes