GO-2024-2638

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2638

Import Source

https://vuln.go.dev/ID/GO-2024-2638.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2638

Aliases

GHSA-95rx-m9m5-m94v

Published

2024-05-10T21:39:27Z

Modified

2024-05-20T16:03:47Z

Summary

ValidateVoteExtensions function in Cosmos SDK may allow incorrect voting power assumptions in github.com/cosmos/cosmos-sdk

Details

The default ValidateVoteExtensions helper function infers total voting power based on the injected VoteExtension, which are injected by the proposer.

If your chain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state. Additional validation on injected VoteExtension data was added to confirm voting power against the state machine.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2638"
}

References

Affected packages

Go / github.com/cosmos/cosmos-sdk

Package

Name: github.com/cosmos/cosmos-sdk; View open source insights on deps.dev
Purl: pkg:golang/github.com/cosmos/cosmos-sdk

Affected ranges

Type: SEMVER
Events: Introduced

0.50.0

Fixed

0.50.5

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "ValidateVoteExtensions"
            ],
            "path": "github.com/cosmos/cosmos-sdk/baseapp"
        }
    ]
}