Recently, a high-severity issue impacting
cosmos-sdk was reported to core developers. This issue impacts chains running on v0.46 and v0.47, and chains on v0.45 may be vulnerable if they backport features of
cosmos-sdk modules to their respective forks.
A patch for this issue will be included in the next release of the
cosmos-sdk that will be available on Thursday, June 8 at 16:00 UTC. If your chain is running v0.46 or v0.47 of the
cosmos-sdk, core developers recommend upgrading to the latest version as quickly as possible.
Security notifications to impacted chains, including those that appear to backport module features, will be sent in parallel with this announcement. If your chain is running on v0.45 or below with backported features from SDK modules and you are concerned about being vulnerable to this issue, please reach out to email@example.com where members of the Informal Systems and Amulet teams will be on hand to help identify, if your chain is vulnerable and to assist with patching.
Update: the Cosmos SDK team has released v0.46.13 and v0.47.3.
The relevant section:
- All chains using Cosmos SDK v0.46.0/v0.47.0 and above must upgrade to v0.46.13/v0.47.3 immediately.
- A chain is not affected by the vulnerability as soon as 33%+1 of the voting power has upgraded.
- A chain is safe from halting as soon as 66%+1 of the voting power has upgraded.
- Coordinate with your validators to upgrade as soon as possible.
- The upgrade can be applied as a rolling upgrade across the validators or as a coordinated upgrade.
- Networks should decide which option gets them upgraded quicker.
Some more clarification on rolling updates: as you know if different validators have different, non-compatible version of the binary, at one point they will not agree on a block. This could lead to AppHash errors for the minority (if less than 33% of voting power are on one version) or chain halt (if the difference is between 33% and 66% of the voting power).
Regardless of, if a network chooses a rolling update or a coordinated update, more than 66% of the voting power should be upgraded as soon as possible for a safe network. I hope this helps making the decision between a rolling update or a coordinated update. Choose the one that gets you faster to 66%+1.
Security advisory has been released on GitHub. Link: Barberry Security Advisory - regarding x/auth periodic vesting accounts · Advisory · cosmos/cosmos-sdk · GitHub