Quick Preliminary Analysis on Cosmos Updated SDK Codes on Github

Cosmos team announced earlier this morning (GMT+8) that a critical security vulnerability was found on CosmosSDK two days ago, and a corresponding patch was subsequently released (https://github.com/cosmos/cosmos-sdk/tree/release/v0.34.6) in v 0.34.6 of the CosmosSDK. Related technical details shall be disclosed within 7 to 10 business days. Also, Cosmos team said that they are coordinating a hard fork to upgrade the Cosmos mainnet, and are reaching out to validators to ensure that they are available to respond during the network transition at block height 482100.

We, Beosin (Chengdu Lian’An Technology Co., Ltd.), took quick preliminary analysis on Cosmos updated SDK codes on github. In brief, this update’s highlight lies on undelegate logic. The former undelegate logic could result in an early termination of coins’ undelegation as it eyed on validator status. When the status read “unbonded”, coins were undelegated immediately without the checking for completion time. After updating, as long as the block height reaches 482100, that logic will be discarded, which means any undelegation of the coins requires a completion time. That’s what we currently found. Any other hazard that might be triggered by the former vulnerable code will be disclosed once by which our further analysis confirms.