Recently, the Cosmos-SDK team became aware of a high-severity security vulnerability that impacts Cosmos-SDK v0.43.x and v0.44.x. User funds are NOT at risk; however, the vulnerability can result in a chain halt. This vulnerability does not impact the current Cosmos Hub, though other Cosmos-SDK based blockchains using v0.43.x or v0.44.x may be affected and are advised to update to v0.44.2 immediately when it is available. Nodes can update their software independently of each other (no coordinated chain restart necessary), but should do so as soon as they are able.
A patch for the issue will be released in version v0.44.2 of the Cosmos-SDK at 14:00 UTC on Tuesday, October 12, 2021. The patch does not involve state-machine breaking changes against v0.44.x.
Note that v0.43.x was already discontinued due to a prior security release - upgrading from v0.43.x to v0.44.x does involve a state-machine breaking change, though it is recommended to upgrade immediately.
This notice has been posted in accordance with the Cosmos-SDK’s vulnerability disclosure policy.