Full Report
Currently, analyzing transactions for EVM chains is super easy. There are ways to fork the chain and run it locally, you can step through step by step in a debugger and there are great graphing tools to see the occurring calls in the TX. In Cosmos, there is no such thing. So, this article is discussing how to improve this in Cosmos. The post discusses what keepers are, Cosmos events and how state is stored in Cosmos. Additionally, it discusses the traceability of CosmWasm transactions being minimal as well. The only thing that's interesting to me was that events are not part of the AppHash. They link to a Github thread about why; A) event API is prone to changes and B) event changes would be consensus breaking. Tracing transactions in Cosmos can only be done by looking at Cosmos events. However, these may be incorrect in the case of a malicious CosmWasm call. So, Range has written a tool called Isotope that modifies a given node to inject extra information into it in order to enhance the observing aspect of it. This allows for a comprehensive understanding of the lifecycle of a transaction. My guess is that they modified CosmWasm and the Cosmos SDK to add more information to it. Unfortunately, this tool doesn't seem to be open to the public yet :( Besides this, they have created a simulator. Given a transaction data, it will run the transaction for you. This is on their website but has fairly hefty limits (5 per day in free tier). So, although it is pretty cool, you can't rerun a TX from a previous block, which sucks. This is a step in the right direction but there is MUCH more that needs to be done in the Cosmos space.
Analysis Summary
# Research: Advanced Transaction Analysis in Cosmos and CosmWasm
## Metadata
- **Authors:** Range Team
- **Institution:** Range Security
- **Publication:** Range Security Blog
- **Date:** June 21, 2024
## Abstract
This research addresses the significant visibility gaps in the Cosmos ecosystem compared to EVM-based chains. While Ethereum benefits from robust execution tracing and debugging tools, Cosmos suffers from a lack of deep transaction observability, particularly within CosmWasm smart contracts. The article explores the technical architecture of Cosmos (Keepers, Events, and ABCI interaction) and introduces two new technical solutions: **Isotope**, a modified node implementation for high-fidelity tracing, and a transaction simulator for pre-execution analysis.
## Research Objective
The primary objective is to solve the "observability gap" in the Cosmos ecosystem. Specifically, the research aims to:
1. Identify why standard Cosmos events are insufficient for security auditing and forensic analysis.
2. Develop a method to capture internal contract calls and state changes that are currently "invisible" to standard indexers.
3. Provide tools for simulating transactions to predict outcomes and prevent malicious interactions.
## Methodology
### Approach
The researchers conducted a structural analysis of the Cosmos SDK and CosmWasm VM to identify where data is lost during execution. They focused on the `BaseApp` routing, the `Keeper` pattern, and the `WasmVM` execution flow. Based on this, they developed a system-level modification to the node's core logic to intercept execution data.
### Dataset/Environment
- **Environment:** Cosmos SDK-based blockchains.
- **Focus Area:** CosmWasm (Wasm module) message execution and interaction with the `Prefix Store` and `Bank` modules.
### Tools & Technologies
- **Cosmos SDK & ABCI:** The underlying framework for the research.
- **CosmWasm/Wasmer:** The smart contract execution environment.
- **Isotope:** A proprietary modified node designed by Range to inject extra instrumentation into the execution lifecycle.
- **Range Simulator:** A web-based tool for replaying or simulating transactions.
## Key Findings
### Primary Results
1. **Event Unreliability:** Events are not included in the `AppHash` (consensus), meaning they can be spoofed by malicious contracts and cannot be used as a "source of truth" for state changes.
2. **Observability Debt:** Standard Cosmos nodes provide minimal information regarding sub-messages and internal queries within a single transaction.
3. **Internal Transparency:** By modifying the Wasm keeper and the Go-bindings of the VM, it is possible to reconstruct a full "call trace" similar to those available in Ethereum (e.g., Tenderly or Phalcon).
### Supporting Evidence
- **Consensus Architecture:** The research cites the Tendermint/CometBFT specification where events are excluded from consensus to prevent breaking changes when API schemas evolve.
- **Execution Lifecycle:** Analysis of the `MsgServiceRouter` confirms that once a message enters a module (like `x/wasm`), the standard SDK loses visibility into subsequent internal actions unless explicitly emitted as events.
### Novel Contributions
- **Isotope Engine:** A first-of-its-kind (though currently private) modification to the Cosmos node stack that allows for deep instrumentation of the WasmVM.
- **Cosmos-Specific Simulation:** One of the few publicly accessible simulators that handles the complexities of Cosmos multi-module interactions (e.g., Bank, Staking, and Wasm).
## Technical Details
The research highlights that Cosmos state is managed via **Keepers**, which act as gateways to module-specific **KVStores**. CosmWasm contracts interact with a **Prefix Store**, a sub-segmented portion of the state. The critical technical bottleneck identified is the interface between the **WasmVM (Wasmer)** and the **Cosmos SDK**. When a contract executes, it creates a "black box" effect. Range’s approach involves "hooking" these interactions to log the inputs and outputs of every sub-call and state mutation before they are committed to the underlying database.
## Practical Implications
### For Security Practitioners
- **Forensics:** Provides the ability to deconstruct complex DeFi exploits on Cosmos chains by seeing exactly which internal message triggered a fund drain.
- **Auditing:** Enables auditors to verify that contract logic matches execution traces in a granular way.
### For Defenders
- **Threat Detection:** Improved tracing allows for more accurate real-time monitoring of "suspicious" internal contract calls that wouldn't normally appear in basic event logs.
### For Researchers
- **Tooling Parity:** Sets a benchmark for the type of infrastructure needed (debuggers, visualizers) to bring Cosmos security on par with the EVM ecosystem.
## Limitations
- **Proprietary Nature:** The "Isotope" tool is currently not open-source, limiting its use to Range’s customers or platform.
- **Simulation Constraints:** The simulation tool has "hefty limits" (5 per day) and lacks the ability to easily rerun transactions from specific historical blocks in the free tier.
- **Consensus Divergence:** Because the tool uses a modified node, it represents an "observer" view rather than the "protocol" view, which could lead to discrepancies if not maintained alongside SDK updates.
## Comparison to Prior Work
Unlike standard block explorers (e.g., Mintscan) which rely solely on emitted events, this research moves "down the stack" into the execution engine itself. It bridges the gap between high-level blockchain data and low-level VM execution, a jump that has been well-documented in Ethereum but remained largely unaddressed in the Cosmos ecosystem.
## Real-world Applications
- **Exploit Analysis:** Rapidly identifying the root cause of IBC (Inter-Blockchain Communication) or CosmWasm-based hacks.
- **Pre-Execution Safety:** Wallets can use simulation to show users exactly what state changes (e.g., balance decreases) will occur before they sign a transaction.
## Future Work
- **Public Tooling:** The community requires open-source versions of deep-tracing nodes to ensure decentralized security analysis.
- **Historical Replay:** Improving the ability to fork the state at any arbitrary block height for retrospective debugging in Cosmos.
## References
- [CometBFT ABCI++ Documentation](https://github.com/cometbft/cometbft/blob/v0.38.0/spec/abci/abci++_basic_concepts.md)
- [Tendermint Issue #7471 (Events and AppHash)](https://github.com/tendermint/tendermint/issues/7471)
- [Range Security Official Blog](https://www.range.org/blog)