Headline
GHSA-8qxh-2gh8-r923: cheqd-node subject to Cosmos SDK "Barberry" vulnerability
Impact
This vulnerability dubbed “Barberry” affects the Cosmos SDK framework used by cheqd-node as base.
It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework.
There is no vulnerability in the DID/resource modules for cheqd-node.
Patches
Node operators are requested to upgrade to cheqd-node v1.4.4. This is not a state-breaking release and does not require a coordinated upgrade across all node operators.
This vulnerability was patched in Cosmos SDK v0.46.13. Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was backported to cheqd’s fork of Cosmos SDK.
Mitigation
When at least ~33% of the voting power of the network has deployed the recommended version of the software, any attack would be unsuccessful but cause a chain halt.
Once at least ~67% of the voting power of the network has deployed recommended version of the software, the attack would be unsuccessful without a chain halt.
Workarounds
No. Node operators are recommended to upgrade to the latest release version.
References
Impact
This vulnerability dubbed “Barberry” affects the Cosmos SDK framework used by cheqd-node as base.
It impacts the way Cosmos SDK handles vesting accounts, and can therefore be a high-impact vulnerability for any network running the framework.
There is no vulnerability in the DID/resource modules for cheqd-node.
Patches
Node operators are requested to upgrade to cheqd-node v1.4.4. This is not a state-breaking release and does not require a coordinated upgrade across all node operators.
This vulnerability was patched in Cosmos SDK v0.46.13. Since this version switches to Go v1.19 and also changes the namespace of many Cosmos protobuf packages, the Barberry fix was backported to cheqd’s fork of Cosmos SDK.
Mitigation
When at least ~33% of the voting power of the network has deployed the recommended version of the software, any attack would be unsuccessful but cause a chain halt.
Once at least ~67% of the voting power of the network has deployed recommended version of the software, the attack would be unsuccessful without a chain halt.
Workarounds
No. Node operators are recommended to upgrade to the latest release version.
References
- “Barberry” vulnerability security advisory
- Cosmos SDK v0.46.13 release notes
References
- GHSA-8qxh-2gh8-r923
- https://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825
- https://github.com/cosmos/cosmos-sdk/releases/tag/v0.46.13