Headline
GHSA-86h5-xcpx-cfqc: ASA-2024-005: Potential slashing evasion during re-delegation
ASA-2024-005: Potential slashing evasion during re-delegation
Component: Cosmos SDK Criticality: Low Affected Versions: Cosmos SDK versions <= 0.50.4; <= 0.47.9 Affected Users: Chain developers, Validator and Node operators Impact: Slashing Evasion
Summary
An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.
Next Steps for Impacted Parties
If you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.
A Github Security Advisory for this issue is available in the Cosmos-SDK repository. For more information about Cosmos SDK, see https://docs.cosmos.network/.
This issue was found by cat shark (Khanh) who reported it to the Cosmos Bug Bounty Program on HackerOne on December 6, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
ASA-2024-005: Potential slashing evasion during re-delegation
Component: Cosmos SDK
Criticality: Low
Affected Versions: Cosmos SDK versions <= 0.50.4; <= 0.47.9
Affected Users: Chain developers, Validator and Node operators
Impact: Slashing Evasion
Summary
An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.
Next Steps for Impacted Parties
If you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.
A Github Security Advisory for this issue is available in the Cosmos-SDK repository. For more information about Cosmos SDK, see https://docs.cosmos.network/.
This issue was found by cat shark (Khanh) who reported it to the Cosmos Bug Bounty Program on HackerOne on December 6, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
References
- GHSA-86h5-xcpx-cfqc
- cosmos/cosmos-sdk@7dbed2f
- cosmos/cosmos-sdk@d1b5b0c