Advisories for Golang/Github.com/Cosmos/Cosmos-Sdk package

ASA-2024-006: ValidateVoteExtensions helper function may allow incorrect voting power assumptions Component: Cosmos SDK Criticality: High Affected Versions: Cosmos SDK versions <= 0.50.4, on 0.50 branches Affected Users: Chain developers, Validator and Node operators Impact: Elevation of Privilege Summary The default ValidateVoteExtensions helper function infers total voting power based off of the injected VoteExtension, which are injected by the proposer. If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest …

An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.

ASA-2024-003: Missing BlockedAddressed Validation in Vesting Module Component: Cosmos SDK Criticality: Low Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Description A vulnerability was identified in the x/auth/vesting module, which can allow a user to create a periodic vesting account on a blocked address, for example a non-initialized module account. Additional validation was added to prevent creation …

ASA-2024-003: Missing BlockedAddressed Validation in Vesting Module Component: Cosmos SDK Criticality: Low Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Description A vulnerability was identified in the x/auth/vesting module, which can allow a user to create a periodic vesting account on a blocked address, for example a non-initialized module account. Additional validation was added to prevent creation …

ASA-2024-002: Default PrepareProposalHandler may produce invalid proposals when used with default SenderNonceMempool Component: Cosmos SDK Criticality: Medium Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Summary When using the default PrepareProposalHandler and the default SenderNonceMempool, an issue was identified which may allow invalid blocks to be proposed when a single sender includes multiple transactions with non-sequential sequence …

ASA-2024-002: Default PrepareProposalHandler may produce invalid proposals when used with default SenderNonceMempool Component: Cosmos SDK Criticality: Medium Affected Versions: Cosmos SDK versions <= 0.50.3; <= 0.47.8 Affected Users: Chain developers, Validator and Node operators Impact: Denial of Service Summary When using the default PrepareProposalHandler and the default SenderNonceMempool, an issue was identified which may allow invalid blocks to be proposed when a single sender includes multiple transactions with non-sequential sequence …

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in github.com/cosmos/cosmos-sdk.

Impact In PeriodicVestingAccount, defined in x/auth, an attacker can initialize a victim's account as a malicious vesting account, which allows deposits but does not allow withdrawals. When the user then deposits funds into their account, those funds are locked forever, and the user is not able to withdraw them. Patches >= v0.46.13 for Cosmos SDK v0.46.x >= v0.47.3 for Cosmos SDK v0.47.x If a network backported periodic vesting accounts to …

x/crisis does not charge ConstantFee Impact If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK. Details The x/crisis module is supposed to allow anyone to halt a chain in the event of a violated invariant by sending a MsgVerifyInvariant with the name …

Withdrawn This advisory has been withdrawn because it is a duplicate of GHSA-j2cr-jc39-wpx5. This link is maintained to preserve external references. Original Description The cosmos-sdk module is affected by the vulnerability codenamed "Barberry".

The cosmos-sdk module is affected by the vulnerability codenamed "Barberry".

x/crisis does NOT cause chain halt Impact If an invariant check fails on a Cosmos SDK network and a transaction is sent to the x/crisis module to halt the chain, the chain does not halt. All versions of the x/crisis module is affected on all versions of the Cosmos SDK. Details The x/crisis module is supposed to allow anyone to halt a chain in the event of a violated invariant …

The Cosmos-SDK is a framework for building blockchain applications in Golang.Recovery would require applying the patch and rolling back the latest block. Users are advised to update to