Headline
GHSA-x5vx-95h7-rv4p: Cosmos SDK: Groups module can halt chain when handling a malicious proposal
Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.47.15, <= 0.50.11 Affected users: Validators, Full nodes, Users on chains that utilize the groups module
Description
An issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.
Patches
The new Cosmos SDK release v0.50.12 and v0.47.16 fix this issue.
Workarounds
There are no known workarounds for this issue. It is advised that chains apply the update.
Timeline
- February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program
- February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team
- February 9, 2025, 12:25pm PST: Core team completes validation of issue
- February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered
- February 20, 2025, 8:00am PST / 17:00 CET: Patch made available
This issue was reported to the Cosmos Bug Bounty Program by dongsam on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the Cosmos SDK repository.
- GitHub Advisory Database
- GitHub Reviewed
- GHSA-x5vx-95h7-rv4p
Cosmos SDK: Groups module can halt chain when handling a malicious proposal
High severity GitHub Reviewed Published Feb 20, 2025 in cosmos/cosmos-sdk • Updated Feb 20, 2025
Package
gomod github.com/cosmos/cosmos-sdk (Go)
Affected versions
<= 0.47.15
>= 0.50.0-alpha.0, <= 0.50.11
Patched versions
0.47.16-ics-lsm
0.50.12
Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal
Component: CosmosSDK
Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2)
Affected versions: <= v0.47.15, <= 0.50.11
Affected users: Validators, Full nodes, Users on chains that utilize the groups module
Description
An issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.
Patches
The new Cosmos SDK release v0.50.12 and v0.47.16 fix this issue.
Workarounds
There are no known workarounds for this issue. It is advised that chains apply the update.
Timeline
- February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program
- February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team
- February 9, 2025, 12:25pm PST: Core team completes validation of issue
- February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered
- February 20, 2025, 8:00am PST / 17:00 CET: Patch made available
This issue was reported to the Cosmos Bug Bounty Program by dongsam on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.
A Github Security Advisory for this issue is available in the Cosmos SDK repository.
References
- GHSA-x5vx-95h7-rv4p
- cosmos/cosmos-sdk@0a98b65
- https://github.com/cosmos/cosmos-sdk/releases/tag/v0.47.16
- https://github.com/cosmos/cosmos-sdk/releases/tag/v0.50.12
Published to the GitHub Advisory Database
Feb 20, 2025
Last updated
Feb 20, 2025