Collecting and parsing audits and real hacks

[bytes032]

I think the deliverables/action points of this should be something like:

• Find Audits
• Write Eco-101, list of 101 issues
• Write Rekt-Eco, list of REAL hacks and war rooms

[bytes032]

https://maxwelldulin.com/BlogPost/stdout-cosmos-sdk-rce

[bytes032]

Some audits on Cosmos projects https://ottersec.notion.site/Sampled-Public-Audit-Reports-a296e98838aa4fdb8f3b192663400772

[bytes032]

Message spoofing:

[mdulin2]

Going through this right now and writing up notes. Specific findings on previous audits seems useful because of the context of the issues. Zellic and Halborn both have Cosmos SDK audits. https://drive.google.com/file/d/1TjLkNn9MobjGTupukJBxnpxr0DKvj_6V/view and https://drive.google.com/file/d/1F7RHWukeEcjUrA5P2BS3AYsttjYvQaw8/view?usp=sharing.

[bytes032]

These folks are assumed to be one of the best auditors in the Cosmos space? https://github.com/informalsystems/audits

[mdulin2]

Informal systems does a good job on these. IBC and EVMOS are two of the most important things in the Cosmos SDK library. Axelar is a very large project as well.

Actually, the Zellic audit of Zetachain is pretty fantastic as well.

[bytes032]

Informal systems does a good job on these. IBC and EVMOS are two of the most important things in the Cosmos SDK library. Axelar is a very large project as well.

Actually, the Zellic audit of Zetachain is pretty fantastic as well.

Adding Axelar https://github.com/axelarnetwork/audits

[mdulin2]

Should we be doing thorough explanations of these bugs or just linking other audits? currently, this is what I've been doing:

Zellic 3.1: Any ZetaSent events are processed regardless of what contract emits them (critical)

• Ethermint is an EVM implementation within the Cosmos SDK ecosystem. This particular implementation is essentially the only one used by projects. Zetachain uses Ethermint for the zEVM.
• To send funds from the zEVM to another chain, a ZetaSent event is emitted by the EVM by the Connector contract.
• The event originator was not validated or checked in this case. The contract should have checked that the sender was the Connector contract.
• Because this was not validated, an attacker could send this event to trigger the bridging functionality from an arbitrary contract. This allowed for arbitrary creation of events to other blockchains without actually locking the funds.

[mdulin2]

Or could do a combination of both too. Write out the previous audits of Zetachain thoroughly and a few other impactful ones then just link to a large amount of other audits.

[mdulin2]

WTF, the Halborn audit is private now... I was literally reading this last week. Hmmm.

[bytes032]

https://jumpcrypto.com/writing/

[bytes032]

Or could do a combination of both too. Write out the previous audits of Zetachain thoroughly and a few other impactful ones then just link to a large amount of other audits.

really up to you, perhaps you can try both just for a sample and then we figure which one we want to stick with

[mdulin2]

Cool, I'm down for that.

[mdulin2]

Inter-blockchain communication(IBC) error handling issues: https://jumpcrypto.com/writing/huckleberry-ibc-event-hallucinations/ CosmWasm stack overflow: https://jumpcrypto.com/writing/stop-the-chain-cosmwasm-stack-overflow/ Double voting on Celer: https://jumpcrypto.com/writing/election-fraud-double-voting-in-celers-state-guardian-network/ Inter-blockchain communication(IBC) lack of channel verification: https://jumpcrypto.com/writing/preventing-airdrop-theft-on-stride-an-ibc-integration-vulnerability/ Misunderstanding how the ante handler works to bypass gas checks: https://jumpcrypto.com/writing/bypassing-ethermint-ante-handlers/

[bytes032]

Oak Security audit for Cosmos this year: https://github.com/oak-security/audit-reports/blob/master/Cosmos/2023-06-23%20Audit%20Report%20-%20Cosmos%20Interchain%20Security%20v1.0.pdf

[bytes032]

Zellic Auditor Alpha:

but for cosmos specifically, I'd recommend finding as many audit reports as you can, blog posts, articles, etc, and build a common base of knowledge for cosmos. Messages in cosmos are similar to external functions in solidity for example, so you can start building a security model based off of that. How are message callers and arguments validated? Ensure to check that privileged messages can't be called by anyone, ensure that each argument is validated as needed, etc

its a lot so i don't have specific resources in mind, but yeah I'd read through blog posts, audit reports, and anything else you can find on cosmos hacks

[bytes032]

Quantumbrief audit for zetachain: https://drive.google.com/file/d/1N9JLdYaq6_gyruMrRDrrrl-JUHANQrI5/view

[bytes032]

Veridise audit for zetachain: https://drive.google.com/file/d/1ZOaVqXRPoYXPG2m1hSKvizhlbo29j4TJ/view

[bytes032]

Halborn cosmos audits: https://github.com/HalbornSecurity/PublicReports/tree/master/Cosmos%20Audits

[bytes032]

Zellic cosmos audits: https://github.com/Zellic/publications

[bytes032]

https://www.coindesk.com/tech/2023/04/14/developers-block-potential-eight-figure-exploit-involving-cosmos-based-ethermint/

[defsec]

https://github.com/oak-security/audit-reports/tree/master

[bytes032]

https://github.com/thorchain/Resources/blob/master/Audits/THORChain-TrailOfBits-FullAudit-Aug2021.pdf

[defsec]

https://leastauthority.com/static/publications/LeastAuthority-Cosmos-SDK-Audit-Report.pdf