search

cosmos / ibc-apps

IBC applications and middleware for Cosmos SDK chains.
Apache License 2.0
82 stars 62 forks source link

Update Patched Fix ASA-2024-006: ValidateVoteExtensions helper function in Cosmos SDK may allow incorrect voting power assumptions #181

Closed bangtabil closed 5 months ago

bangtabil commented 5 months ago

Summary

The default ValidateVoteExtensions helper function infers total voting power based off of the injected VoteExtension, which are injected by the proposer. If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.

Details The ValidateVoteExtensions helper function in Cosmos SDK allows a dishonest proposer to mutate the voting power of validators included in the injected VoteExtension. This can lead to unexpected or negative consequences on the modified state of the blockchain. The function infers the total voting power based on the injected VoteExtension, which can be manipulated by the proposer. To mitigate this vulnerability, additional validation on the injected VoteExtension data has been added to confirm voting power against the state machine.

Reecepbcups commented 5 months ago

Thankfully since this repo is only an import it should not affect upstreams versions (they can bump without this having to also be updated).

does need a go mod tidy. if issues persist after that there is a pending SDK patch for v0.50.5

faddat commented 5 months ago

I've a strong preference to keeping deps up to date anywhere, regardless.

The reason for this is that these repositories are used for reference, and people may reference the versions elsewhere and then end up with an ouchie.

faddat commented 5 months ago

This PR very nice, because it will prevent downgrades of packages to versions containing security issues. 

go get github.com/cosmos/ibc-apps/modules/ibc-hooks/v7@26f3ad8
go: downloading github.com/cometbft/cometbft v0.37.1
go: downloading github.com/cosmos/cosmos-sdk v0.47.3-0.20230513170018-83d600596f5d
go: downloading github.com/cosmos/ibc-go/v7 v7.0.0

Basically when upstream doesn't keep strictly up to date, downstream gets cholera.

... but it seems that this was addressed in a PR by @hoank101 and this one is now safe to close.