IBC Security Advisory Dragonberry

Members of the core Cosmos and Osmosis teams have been extensively auditing IBC in the aftermath of the BSC exploit. We have discovered a critical security vulnerability that impacts all IBC-enabled Cosmos chains, for all versions of IBC.

Steps have already been taken to ensure that all major public IBC-enabled chains have been patched. Given the severity, we have been working tirelessly with core development teams and validators across the ecosystem to make the patch available privately and ensure chains are patched before communicating publicly.

Members of the Informal Systems, Interchain GmbH, and Osmosis teams have been coordinating with a majority of the chains in the interchain. If you lead development of a Cosmos blockchain project that has not been patched, please reach out immediately to security@interchain.io.

A chain is safe from the critical vulnerability as soon as ⅓ of its voting power has applied the patch. Chains should still seek to patch to ⅔ as quickly as possible once the official patch is released.

A public version of the patch will be released in the CosmosSDK v0.45.9 within 24hrs at 14:00 UTC on Friday, October 14, 2022. It is highly advised that all chains and validators upgrade to the new released patch immediately, even if they have already patched privately.

The patch can be deployed individually by validators without a chain-halt upgrade and should be applied as soon as possible. That said, it is still possible that validators and/or chains will halt during the upgrade process. If this happens, please contact security@interchain.io immediately.

We will continue to audit the codebase and to organize additional third party audits. If you find a vulnerability, please disclose it responsibly via our bug bounty program: HackerOne

This notice has been posted in accordance with the Cosmos vulnerability disclosure policy.

Is that a new bug that Verichains discovered?

This is unrelated to the Verichain bug, which does not affect IBC chains.

The dragonberry patch is now available on v0.45.9. Patches for other release lines will be made available momentarily.

We strongly encourage all chains to upgrade immediately (even if you have already been privately patched). Please prepare a new release for your chain using the latest version of the SDK and begin deploying to your validators. If you maintain a fork of the SDK, please backport the entire commit of the latest release to your fork.

Note, in addition to updating the SDK version, chains must add the following replace directive to their go.mod:

replace github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8.0

UPDATE: Please note the original replace directive was incorrect. It has been updated. The replace directive to use in your code is the following:

replace github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8.0

A patch is now available for chains on the v0.44.x line that are on v0.44.5 or below. It can be found in v0.44.5-patch. If you are on the v0.44.x line and are above v0.44.5, please contact security@interchain.io.

Note, in addition to updating the SDK version, chains must also add the following replace directive to their go.mod:

replace github.com/confio/ics23/go => github.com/cosmos/cosmos-sdk/ics23/go v0.8.0

If a chain is upgrading to v0.44.5-patch and is currently on v1.1.x, v1.2.x or v2.0.x of ibc-go they should use the corresponding patch version: v1.1.7 , v1.2.7 , v2.0.4 , tags are here

We strongly encourage all chains to upgrade immediately (even if you have already been privately patched). Please prepare a new release for your chain using the latest version of the SDK and begin deploying to your validators. If you maintain a fork of the SDK, please backport the entire commit of the latest release to your fork.

A release for v0.46.x is not being planned at this time. If you are on v0.46.x, please contact security@interchain.io.