Closed bangtabil closed 5 months ago
Thankfully since this repo is only an import it should not affect upstreams versions (they can bump without this having to also be updated).
does need a go mod tidy. if issues persist after that there is a pending SDK patch for v0.50.5
I've a strong preference to keeping deps up to date anywhere, regardless.
The reason for this is that these repositories are used for reference, and people may reference the versions elsewhere and then end up with an ouchie.
This PR very nice, because it will prevent downgrades of packages to versions containing security issues.
go get github.com/cosmos/ibc-apps/modules/ibc-hooks/v7@26f3ad8
go: downloading github.com/cometbft/cometbft v0.37.1
go: downloading github.com/cosmos/cosmos-sdk v0.47.3-0.20230513170018-83d600596f5d
go: downloading github.com/cosmos/ibc-go/v7 v7.0.0
Basically when upstream doesn't keep strictly up to date, downstream gets cholera.
... but it seems that this was addressed in a PR by @hoank101 and this one is now safe to close.
Summary
The default
ValidateVoteExtensions
helper function infers total voting power based off of the injectedVoteExtension
, which are injected by the proposer. If your chain utilizes theValidateVoteExtensions
helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injectedVoteExtension
, which could have potentially unexpected or negative consequences on modified state. Additional validation on injectedVoteExtension
data was added to confirm voting power against the state machine.Details The ValidateVoteExtensions helper function in Cosmos SDK allows a dishonest proposer to mutate the voting power of validators included in the injected VoteExtension. This can lead to unexpected or negative consequences on the modified state of the blockchain. The function infers the total voting power based on the injected VoteExtension, which can be manipulated by the proposer. To mitigate this vulnerability, additional validation on the injected VoteExtension data has been added to confirm voting power against the state machine.