Recently, the core Cosmos team became aware of a high-severity security vulnerability that impacts all users of the IAVL merkle proof verification (“RangeProof”) system, for all versions of the IAVL software. Details were made public by independent security researchers here. Importantly, this vulnerability DOES NOT impact users of IBC, the Cosmos-SDK, or the Cosmos Hub, unless they have gone out of their way to use the IAVL’s RangeProof system. IBC does not use the RangeProof system from the IAVL repo, it uses its own independently-specified system for merkle proof verification called ICS23. While the Cosmos-SDK uses the IAVL tree for merkle storage, it does not use the RangeProof system for proofs. It is highly recommended that all users of the IAVL merkle proof system migrate to use ICS23 instead.
A patch for the issue will be imminently released in version v0.19.3 of the IAVL. The patch does not involve state-breaking changes, but will cause previously valid exploit transactions to be rejected. There will be no corresponding release of the Cosmos-SDK at the moment, but a subsequent Cosmos-SDK release will occur in the coming week. Users who wish to continue using the IAVL’s native proof system should proceed carefully and adjust accordingly, but are strongly encouraged to migrate to use ICS23 instead. If you are using the RangeProof, please contact security at interchain.io.
This notice has been posted in accordance with the Cosmos-SDK’s vulnerability disclosure policy. While there is usually a 24-hour window between incident notification and patch release, details of this incident have already been made public independently - hence the expedited release of a patch.