Recently, a high-severity issue impacting cosmos-sdk was reported to core developers. This issue impacts chains running on v0.46 and v0.47, and chains on v0.45 may be vulnerable if they backport features of cosmos-sdk modules to their respective forks.

A patch for this issue will be included in the next release of the cosmos-sdk that will be available on Thursday, June 8 at 16:00 UTC. If your chain is running v0.46 or v0.47 of the cosmos-sdk, core developers recommend upgrading to the latest version as quickly as possible.

Security notifications to impacted chains, including those that appear to backport module features, will be sent in parallel with this announcement. If your chain is running on v0.45 or below with backported features from SDK modules and you are concerned about being vulnerable to this issue, please reach out to barberry@amulet.dev where members of the Informal Systems and Amulet teams will be on hand to help identify, if your chain is vulnerable and to assist with patching.

Update: the Cosmos SDK team has released v0.46.13 and v0.47.3.

Release notes are available here:
v0.46.13: Release v0.46.13 · cosmos/cosmos-sdk · GitHub
v0.47.3: Release v0.47.3 · cosmos/cosmos-sdk · GitHub

The relevant section:

• All chains using Cosmos SDK v0.46.0/v0.47.0 and above must upgrade to v0.46.13/v0.47.3 immediately.
• A chain is not affected by the vulnerability as soon as 33%+1 of the voting power has upgraded.
• A chain is safe from halting as soon as 66%+1 of the voting power has upgraded.
• Coordinate with your validators to upgrade as soon as possible.
• The upgrade can be applied as a rolling upgrade across the validators or as a coordinated upgrade.
• Networks should decide which option gets them upgraded quicker.

Some more clarification on rolling updates: as you know if different validators have different, non-compatible version of the binary, at one point they will not agree on a block. This could lead to AppHash errors for the minority (if less than 33% of voting power are on one version) or chain halt (if the difference is between 33% and 66% of the voting power).

Regardless of, if a network chooses a rolling update or a coordinated update, more than 66% of the voting power should be upgraded as soon as possible for a safe network. I hope this helps making the decision between a rolling update or a coordinated update. Choose the one that gets you faster to 66%+1.

Security advisory has been released on GitHub. Link: Barberry Security Advisory - regarding x/auth periodic vesting accounts · Advisory · cosmos/cosmos-sdk · GitHub

I think a few details are missing here:

1. Is this upgrade consensus breaking?
2. What are the consequences for the chains that would fail to release a fix? Would there be a possibility for a chain halt, or users’ tokens could be stolen?

Regarding 2) I am not sure whether it’s possible for the team to share more details without actually disclosing the vulnerability, so I think either sharing the details on what parts of the chain can be affected and in what way (without actually revealing how it can be done) if that’s possible, or clarifying it is not possible to reveal that without risking chains’ safety. And also having a post-mortem after the fix is deployed would be really great.

notional will support teams affected by barberry free of charge.

If you need help, please contact twitter.com/gadikian or twitter.com/notionaldao

What is amulet?

It’s a new security contracting company thanks to @Syed and @catdotfish for clarifying.

Who is amulet?

Amulet is a team of security researchers led by Jessy Irwin, two long-time security experts in the Cosmos ecosystem. They are helping core developer teams with security incident response handling. Jessy worked at the ICF on security incidents, a few years ago."

(Quote modified per @Jessysaurusrex request)

Screenshot_20230608-1040581080×1768 160 KB

No I just want to give an advisory to all of the validators and developer teams and whatever, if You see an account that hasn’t posted in 4 years on the forum all of a sudden, and it asks you to send an email to a company you have no reason to have ever heard of let me tell you people don’t touch it. That has every Hallmark of a bad actor.

No I also wish to say that this is not a bad actor, it was Greg from informal posting. I have gone through and checked up stream and made sure everybody is actually everybody but what you need to know is if you see something like this run or ask somebody else.

it’s perfectly safe to contact informal or amulet about this. You can also contact twitter.com/gadikian .

If this had been a North Korean spearfishing attempt, respondents to the email address including chain team leads, who are a prime target, would already be receiving targeted spearfishing materials instead of assistance with security.

Notional will not ask you to email.

Hi I just wanted to let everybody know that 10 minutes from now, notional is going to be holding a planning call for barberry.

Hi so I think that we can all agree that there are many people who have four-year-old dormant accounts.

If those people begin making security alerts, without any verification of who they are, citing and unknown organization, that can lead to very serious problems.

So I would like to just be clear, I do believe that there was a very serious problem with how this incident was disclosed by an account that hadn’t been active on the forum for 4 years, that has no actual name associated with it, without identifying itself as a member of a given team, assuming that the community should just trust them.

Personally, I believe that that is an almost exact recipe for causing catastrophic failures.

@Jessysaurusrex

I understand fully that you had no part in this. I understand fully that you’re not a North Korean agent. I also understand that there are various types of threat actors active in cosmos, which include North Korea, and that it’s most likely North Korea that just knocked over atomic wallet.

Therefore, I think it’s a good idea to help the community to have a very healthy skepticism of posts that introduce a new organization, come from a 4-year-old account that has not posted in 4 years, and instruct teams to contact an email address. The only reason that I was comfortable using the email address is that I checked with the ICF communications team on this matter, many thanks to @Syed and @catdotfish.

Otherwise I believe that the appropriate advice to anyone, upon seeing such a post, is to simply not speak to whomever is it the end of that email address.

once again for clarity: it’s totally fine to speak to amulet or informal about this, and it’s fine to contact the amulet email address above. I know this because I checked.

The original poster @Greg Is a team member at informal systems. Amulet is a new security company in Cosmos led by @Jessysaurusrex.

do not email unknowns ever

I can’t emphasize this enough. We know for sure that there are various threat actors collecting people’s emails contact information, sharing highly sophisticated spearfishing techniques.

do not trust accounts that just sort of show up here out of nowhere

Check everything

Agree with the details missing. Especially the first question which involves additional coordination between relevant parties. Less than 1 day without these details is not enough

Per @marbar request I made a DM channel between you and him on Twitter.

The distribution of information around this has been confusing to say the least.

@Syed is now saying that we should get a hold of the cosmos SDK team directly to discuss those, which just causes me to question this post which said to get a hold of informal or amulet. Anybody who contacts me, I will be putting them in touch directly with the SDK team.

[removed tweet link]

I would agree with caution on responding to dormant accounts and/or new organisations. Even if they are known members of the community, especially with dormant accounts, it’s a possibility that we must not ignore that perhaps that account got compromised. It’s a strong modus operandi for a supply-chain attack that could affect the entire ecosystem.

That being said, I’m glad @jacobgadikian has independently validated this information through other channels, with other accounts.

Isn’t the real Twitter account for Cosmos @cosmos? This one has 514k followers, 4k+ tweets

The account you linked that goes by the handle @cosmos_sdk only has 235 followers, joined in July 2022, and only 8 tweets.

I do find that slightly suspicious/worrying unless someone validates that’s a genuine account.

Yeah I regard the following account to be canonical for the sdk:

https://twitter.com/cosmossdk

Is cosmos_sdk correct?

For everyone following this topic, here’s the most up to date information as I understand it:

Currently it seems like users of 46 and 47 should upgrade to
v0.46.13 or v0.47.3 
at 1600 utc, moving as much VP as possible to the new versions as
quickly as possible

(eg: at 1600 utc)

Since some folks have chosen to state that my requests for clarity here are in opposition to Amulet’s entry to cosmos, let me please say in bold letters:

if anything, this incident underscores the need for a firm like Amulet

Thanks @Jessysaurusrex for taking on one of Cosmos’ most challenging roles.

Would be really useful to know this update is going to be state breaking ahead of time if possible.

Also it seems like only validators are going to need to be upgraded for now. Is that correct?

@Greg
In the past when faced with 0 day vulnerabilities we have coordinated between chain core teams before public release of the bug.

Cosmos chains often implement custom modules which make updates that could seem mundane and quick, complicated.

The risk of chain halt before, and during the upgrade period for this issue means that we must chose when to break our chains.