Skip to content

ASA-2024-005: Potential slashing evasion during re-delegation

Low severity GitHub Reviewed Published Feb 27, 2024 in cosmos/cosmos-sdk • Updated Nov 4, 2024

Package

gomod github.com/cosmos/cosmos-sdk (Go)

Affected versions

>= 0.50.0, <= 0.50.4
<= 0.47.9

Patched versions

0.50.5
0.47.10

Description

ASA-2024-005: Potential slashing evasion during re-delegation

Component: Cosmos SDK
Criticality: Low
Affected Versions: Cosmos SDK versions <= 0.50.4; <= 0.47.9
Affected Users: Chain developers, Validator and Node operators
Impact: Slashing Evasion

Summary

An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.

Next Steps for Impacted Parties

If you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.

A Github Security Advisory for this issue is available in the Cosmos-SDK repository. For more information about Cosmos SDK, see https://docs.cosmos.network/.

This issue was found by cat shark (Khanh) who reported it to the Cosmos Bug Bounty Program on HackerOne on December 6, 2023. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

References

@mizmo18 mizmo18 published to cosmos/cosmos-sdk Feb 27, 2024
Published to the GitHub Advisory Database Feb 27, 2024
Reviewed Feb 27, 2024
Last updated Nov 4, 2024

Severity

Low

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-86h5-xcpx-cfqc

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.