Skip to content

ASA-2024-005: Potential slashing evasion during re-delegation

Low
mizmo18 published GHSA-86h5-xcpx-cfqc Feb 27, 2024

Package

gomod github.com/cosmos/cosmos-sdk (Go)

Affected versions

<= 0.50.4
<= 0.47.9

Patched versions

0.50.5
0.47.10

Description

ASA-2024-005: Potential slashing evasion during re-delegation

Component: Cosmos SDK
Criticality: Low
Affected Versions: Cosmos SDK versions <= 0.50.4; <= 0.47.9
Affected Users: Chain developers, Validator and Node operators
Impact: Slashing Evasion

Summary

An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.

Next Steps for Impacted Parties

If you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.

A Github Security Advisory for this issue is available in the Cosmos-SDK repository. For more information about Cosmos SDK, see https://docs.cosmos.network/.

This issue was found by cat shark (Khanh) who reported it to the Cosmos Bug Bounty Program on HackerOne on December 6, 2023. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

Severity

Low

CVE ID

No known CVE

Weaknesses