GHSA-83qr-9v2h-qxp4: Cosmos Hub (Gaia): The check for the height of cryptographic equivocation evidence is missing

1. GitHub Advisory Database
2. GitHub Reviewed
3. GHSA-83qr-9v2h-qxp4

Cosmos Hub (Gaia): The check for the height of cryptographic equivocation evidence is missing

Moderate severity GitHub Reviewed Published Aug 14, 2024 in cosmos/gaia • Updated Aug 14, 2024

Package

gomod github.com/cosmos/gaia (Go)

Affected versions

> 14.2.0, < 17.3.0

Summary

An issue was identified in the Interchain Security (ICS) module that could result in the slashing of a validator for an “old” equivocation. The height-base filter for consumer equivocation evidence introduced in v2.4.0-lsm was re-enabled.

Details

ICS v2.4.0-lsm introduced a height-base filter for consumer equivocation evidence. This feature enables a provider to set per consumer chain minimum heights for which cryptographic evidence is considered valid. The Cosmos Hub v14 upgrade bumped ICS to v2.4.0-lsm and also set the minimum evidence height for both neutron-1 and stride-1 consumer chains to their respective height at that time (see PR). As a result, “older” cryptographic evidence was no longer accepted by the Hub.

The Cosmos Hub v15 upgrade bumped ICS to v3.3.3-lsm, which had the height-base filter for consumer equivocation evidence disabled.

References

• GHSA-83qr-9v2h-qxp4

Published to the GitHub Advisory Database

Aug 14, 2024

Last updated

Aug 14, 2024