Cosmos-SDK Security Advisory Jackfruit

Recently, the Cosmos-SDK team became aware of a high-severity security vulnerability that impacts Cosmos-SDK v0.43.x and v0.44.x. User funds are NOT at risk; however, the vulnerability can result in a chain halt. This vulnerability does not impact the current Cosmos Hub, though other Cosmos-SDK based blockchains using v0.43.x or v0.44.x may be affected and are advised to update to v0.44.2 immediately when it is available. Nodes can update their software independently of each other (no coordinated chain restart necessary), but should do so as soon as they are able.

A patch for the issue will be released in version v0.44.2 of the Cosmos-SDK at 14:00 UTC on Tuesday, October 12, 2021. The patch does not involve state-machine breaking changes against v0.44.x.

Note that v0.43.x was already discontinued due to a prior security release - upgrading from v0.43.x to v0.44.x does involve a state-machine breaking change, though it is recommended to upgrade immediately.

This notice has been posted in accordance with the Cosmos-SDK’s vulnerability disclosure policy.

The patches that resolve the issues comprising Security Advisory Jackfruit have been released in v0.44.2 of the Cosmos-SDK. All releases are now available to the public.

A full timeline of the vulnerability disclosure and coordination activities that comprise this release should be available by Tuesday, October 19.

You can find source code and binaries available on the respective release page:

• Cosmos SDK: Release v0.44.2 · cosmos/cosmos-sdk · GitHub

Again, this vulnerability does not impact the current Cosmos Hub.