Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03MjI1LW05NTQtMjN2N84ABBlx

ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic

Name: ASA-2024-010: Mismatched bit-length in sdk.Int and sdk.Dec can lead to panic
Component: Cosmos SDK / Math
Criticality: High (Considerable Impact, and Possible Likelihood per ACMv1.2)
Affected versions: cosmossdk.io/math package versions <= math/v1.3.0
Affected users: Chain Builders + Maintainers, Validators

Impact

The bit-length in sdk.Int and sdk.Dec are not aligned, which may present a possible panic condition when interacting with Dec types in an Int context. This issue was resolved by aligning the max size between the data types in the cosmossdk.io/math package.

This issue impacts consumers of the cosmossdk.io/math, which includes popular modules including IBC-Go and tokenfactory (permissionless). If your chain interacts with APIs in the cosmossdk.io/math package, or utilizes a module that consumes this library, it is advised to update to the latest version at the time of the patch release by updating your project's go.mod dependency for cosmossdk.io/math.

The patch can be applied without a hard-fork, and with a version bump in a chain's go.mod file like the following:

go.mod

- cosmossdk.io/math v1.3.0
+ cosmossdk.io/math v1.4.0

[!NOTE]
When on a lower version than cosmossdk.io/math v1.3.0, please do a coordinated upgrade before upgrading to >= 1.3.0

Patches

The new release of cosmossdk.io/math v1.4.0 resolves this issue. Chains that utilize the cosmossdk.io/math library or modules that utilize the cosmossdk.io/math library should update to avoid this condition.

Timeline

This issue was reported by LonelySloth to the Cosmos Bug Bounty Program on HackerOne on October 31, 2024. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at [email protected]. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

Permalink: https://github.com/advisories/GHSA-7225-m954-23v7
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03MjI1LW05NTQtMjN2N84ABBlx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 20 days ago
Updated: 18 days ago


Identifiers: GHSA-7225-m954-23v7
References: Repository: https://github.com/cosmos/cosmos-sdk
Blast Radius: 0.0

Affected Packages

go:cosmossdk.io/math
Dependent packages: 2,231
Dependent repositories: 638
Downloads:
Affected Version Ranges: <= 1.3.0
Fixed in: 1.4.0
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.3.0
All unaffected versions: 1.4.0