Advisories for Golang/Github.com/Cosmos/Cosmos-Sdk package

2024

Transaction decoding may result in a stack overflow or resource exhaustion

ASA-2024-0012 When decoding a maliciously formed packet with a deeply-nested structure, it may be possible for a stack overflow to occur and result in a network halt. This was addressed by adding a recursion limit while decoding the packet. ASA-2024-0013 Nested messages in a transaction can consume exponential cpu and memory on UnpackAny calls. Themax_tx_bytes sets a limit for external TX but is not applied for internal messages emitted by …

ASA-2024-006: ValidateVoteExtensions helper function in Cosmos SDK may allow incorrect voting power assumptions

ASA-2024-006: ValidateVoteExtensions helper function may allow incorrect voting power assumptions Component: Cosmos SDK Criticality: High Affected Versions: Cosmos SDK versions <= 0.50.4, on 0.50 branches Affected Users: Chain developers, Validator and Node operators Impact: Elevation of Privilege Summary The default ValidateVoteExtensions helper function infers total voting power based off of the injected VoteExtension, which are injected by the proposer. If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest …

ASA-2024-005: Potential slashing evasion during re-delegation

An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.

ASA-2024-003: Missing `BlockedAddressed` Validation in Vesting Module

ASA-2024-003: Missing BlockedAddressed Validation in Vesting Module Component: Cosmos SDK Criticality: Low Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Description A vulnerability was identified in the x/auth/vesting module, which can allow a user to create a periodic vesting account on a blocked address, for example a non-initialized module account. Additional validation was added to prevent creation …

ASA-2024-003: Missing `BlockedAddressed` Validation in Vesting Module

ASA-2024-003: Missing BlockedAddressed Validation in Vesting Module Component: Cosmos SDK Criticality: Low Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Description A vulnerability was identified in the x/auth/vesting module, which can allow a user to create a periodic vesting account on a blocked address, for example a non-initialized module account. Additional validation was added to prevent creation …

ASA-2024-002: Default `PrepareProposalHandler` may produce invalid proposals when used with default `SenderNonceMempool`

ASA-2024-002: Default PrepareProposalHandler may produce invalid proposals when used with default SenderNonceMempool Component: Cosmos SDK Criticality: Medium Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Summary When using the default PrepareProposalHandler and the default SenderNonceMempool, an issue was identified which may allow invalid blocks to be proposed when a single sender includes multiple transactions with non-sequential sequence …

ASA-2024-002: Default `PrepareProposalHandler` may produce invalid proposals when used with default `SenderNonceMempool`

ASA-2024-002: Default PrepareProposalHandler may produce invalid proposals when used with default SenderNonceMempool Component: Cosmos SDK Criticality: Medium Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Summary When using the default PrepareProposalHandler and the default SenderNonceMempool, an issue was identified which may allow invalid blocks to be proposed when a single sender includes multiple transactions with non-sequential sequence …

2023

Barberry Security Advisory - regarding x/auth periodic vesting accounts

Impact In PeriodicVestingAccount, defined in x/auth, an attacker can initialize a victim's account as a malicious vesting account, which allows deposits but does not allow withdrawals. When the user then deposits funds into their account, those funds are locked forever, and the user is not able to withdraw them. Patches >= v0.46.13 for Cosmos SDK v0.46.x >= v0.47.3 for Cosmos SDK v0.47.x If a network backported periodic vesting accounts to …

github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee

x/crisis does not charge ConstantFee Impact If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK. Details The x/crisis module is supposed to allow anyone to halt a chain in the event of a violated invariant by sending a MsgVerifyInvariant with the name …

Go package github.com/cosmos/cosmos-sdk module x/crisis does NOT cause chain halt

x/crisis does NOT cause chain halt Impact If an invariant check fails on a Cosmos SDK network and a transaction is sent to the x/crisis module to halt the chain, the chain does not halt. All versions of the x/crisis module is affected on all versions of the Cosmos SDK. Details The x/crisis module is supposed to allow anyone to halt a chain in the event of a violated invariant …

2021