Cosmos-SDK Security Advisory Pineapple

Recently, the core Cosmos development team became aware of a potential security vulnerability impacting IBC in Cosmos-SDK 0.42.x and ibc-go v1.x.x and v2.x.x. The bug appears to be low-severity in general but may be high-severity depending on the design of certain modules. User funds in accounts and staking delegations are NOT at risk; however, the vulnerability may result in unexpected behavior for certain modules.

We encourage all chains using Cosmos-SDK v0.42.x with IBC enabled or Cosmos-SDK 0.44.x/0.45.x with ibc-go in production to upgrade as soon as possible. Chains interested in inspecting the patch to determine if any of their modules may be adversely affected by the bug, please contact the IBC team at Interchain GmbH in the ibc-core channel on the Cosmos Discord. We can provide support to help decide when to upgrade.

Note the patch is state-machine breaking. Thus validators must coordinate to upgrade at the same height to avoid the risk of a consensus failure if the bug is triggered before all nodes have upgraded. This also means that if the bug was triggered already in the past, the upgraded software may reject blocks when syncing from a historical point.

While the bug is present on the Cosmos Hub, there is no known adverse impact on any of the modules. An upgrade for the Cosmos Hub thus does not appear necessary at this time. The patch will be included in a future release of the Cosmos Hub.

A patch to remediate this issue will be released on Tuesday March 15th, 2022 at 14:00 UTC in the following versions:

  • ibc-go v1.3.0 and v2.1.0 (for anyone using the v0.44.x line of the Cosmos-SDK)
  • ibc-go v1.4.0 and v2.2.0 (for anyone using the v0.45.x line of the Cosmos-SDK)

Please note that Cosmos-SDK v0.42.x has reached end of life and therefore a patch will not be released for it. Chains running Cosmos SDK v0.42.x should upgrade to v0.44.x as soon as possible and import ibc-go v1.3.0 and v2.1.0 if IBC is enabled. If you are running Cosmos-SDK 0.44.x with IBC enabled then upgrade ibc-go as soon as possible to v1.3.0 or v2.1.0. If you are running Cosmos-SDK v0.45.x with IBC enabled then upgrade ibc-go as soon as possible to v1.4.0 or v2.2.0.

This notice has been posted in accordance with the Cosmos-SDK’s vulnerability disclosure policy.

1 Like

The patches that resolve the issues comprising Security Advisory Pineapple have been released in v1.3.0, v1.4.0, v2.1.0 and v2.2.0 of ibc-go. All releases are now available to the public.

A full timeline of the vulnerability disclosure and coordination activities that comprise this release should be available by Tuesday, March 22.

You can find the releases available on the ibc-go’s releases page.

Again, an upgrade for the Cosmos Hub thus does not appear necessary at this time.

1 Like

thank you for this. It’s a lot of work to keep track of these matters.