2024-11-20
Form:
Platform: Cosmos SDK
Version: cosmossdk.io/math versions <= math/v1.3.0
Vulnerability: Mismatched bit-length validation in sdk.Int and sdk.Dec
Severity: High
Date: Nov 20, 2024
What Undercode Says:
A high-severity vulnerability (ASA-2024-010) has been identified in the Cosmos SDK’s cosmossdk.io/math package (versions <= math/v1.3.0). This vulnerability arises from a mismatch in the bit-length validation between sdk.Int and sdk.Dec data types, potentially causing a program crash (panic) when using Dec types in an Int context. The impact of this vulnerability is limited to users who interact with APIs within the cosmossdk.io/math library or utilize modules that depend on it (including IBC-Go and tokenfactory). Upgrading to cosmossdk.io/math v1.4.0 resolves this issue. The update can be implemented seamlessly without a hard fork by modifying your project's go.mod dependency. For users on versions below cosmossdk.io/math v1.3.0, a coordinated upgrade is recommended before transitioning to v1.3.0 or higher. The Cosmos Bug Bounty program on HackerOne identified and reported this vulnerability on October 31, 2024.
References:
Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.help