Cosmos SDK ASA-2024-010: Mismatched Bit-Length Vulnerability (High)

2024-11-20

Form:

Platform: Cosmos SDK
Version: cosmossdk.io/math versions <= math/v1.3.0 Vulnerability: Mismatched bit-length validation in sdk.Int and sdk.Dec Severity: High Date: Nov 20, 2024

What Undercode Says:

A high-severity vulnerability (ASA-2024-010) has been identified in the Cosmos SDK’s cosmossdk.io/math package (versions <= math/v1.3.0). This vulnerability arises from a mismatch in the bit-length validation between sdk.Int and sdk.Dec data types, potentially causing a program crash (panic) when using Dec types in an Int context. The impact of this vulnerability is limited to users who interact with APIs within the cosmossdk.io/math library or utilize modules that depend on it (including IBC-Go and tokenfactory). Upgrading to cosmossdk.io/math v1.4.0 resolves this issue. The update can be implemented seamlessly without a hard fork by modifying your project's go.mod dependency. For users on versions below cosmossdk.io/math v1.3.0, a coordinated upgrade is recommended before transitioning to v1.3.0 or higher. The Cosmos Bug Bounty program on HackerOne identified and reported this vulnerability on October 31, 2024.

References:

Reported By: Github.com
Undercode AI: https://ai.undercodetesting.com

Image Source:

OpenAI: https://openai.com
Undercode AI DI v2: https://ai.undercode.helpFeatured Image

Scroll to Top