GHSA-x5vx-95h7-rv4p

Name: ASA-2025-003: Groups module can halt chain when handling a malicious proposal Component: CosmosSDK Criticality: High (Considerable Impact; Likely Likelihood per ACMv1.2) Affected versions: <= v0.47.15, <= 0.50.11 Affected users: Validators, Full nodes, Users on chains that utilize the groups module

Description

An issue was discovered in the groups module where a malicious proposal would result in a division by zero, and subsequently halt a chain due to the resulting error. Any user that can interact with the groups module can introduce this state.

Patches

The new Cosmos SDK release v0.50.12 and v0.47.16 fix this issue.

Workarounds

There are no known workarounds for this issue. It is advised that chains apply the update.

Timeline

• February 9, 2025, 5:18pm PST: Issue reported to the Cosmos Bug Bounty program
• February 9, 2025, 8:12am PST: Issue triaged by Amulet on-call, and distributed to Core team
• February 9, 2025, 12:25pm PST: Core team completes validation of issue
• February 18, 2025, 8:00am PST / 17:00 CET: Pre-notification delivered
• February 20, 2025, 8:00am PST / 17:00 CET: Patch made available

This issue was reported to the Cosmos Bug Bounty Program by dongsam on HackerOne on February 9, 2025. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.

If you have questions about Interchain security efforts, please reach out to our official communication channel at security@interchain.io. For more information about the Interchain Foundation’s engagement with Amulet, and to sign up for security notification emails, please see https://github.com/interchainio/security.

A Github Security Advisory for this issue is available in the Cosmos SDK repository.