Full Report
The Binance Chain IAVL Merkle Tree hack gained from flags on security issues within the Cosmos SDK. As a result, the developers started diving into the code base to look for further issues. From this, they came to two more vulnerabilities: dragonberry and elderberry. InterBlockchain Communication (IBC) is the protocol used to communicate across blockchains in the Cosmos ecosystem. IBC has a user configurable timeout mechanism that allows for reclaiming funds in the event that a packet is not relayed on time. The ics23 proposal was all about a binary representation for merkle proofs. The vulnerability appears to be in the original implementation of this proposal. According to the advisory, there was a way to forge the proof. Since this has to do with money, an attacker could have used the bad proof to iteratively train the ICS-20 escrow accounts of every user. To make this transaction harder to find, they added the entire file with the included changes. Although I couldn't find the actual bug in the implementation being used, looking at old and update. The second vulnerability was within the AuthZ module. It was found by multiple parties at once independently from the Cosmos team. The Cosmos SDK uses ValidateBasic() to validate that a message is valid. However, the module was missing this check, leading to invalid state transitions being possible. This would have allowed an attacker to manipulate a market in strange ways. Overall, I wish we had a better picture of this vulnerabilities and how to exploit them. It's super interesting to see these issues come to light all at once within the Cosmos ecosystem though.
Analysis Summary
Based on the retrospective provided and historical security data regarding the "Dragonberry" and "Elderflower" vulnerabilities, here is the summarized technical report.
# Vulnerability: Cosmos SDK Proof Verification & AuthZ Message Validation
## CVE Details
- **CVE ID:** CVE-2022-35936 (Dragonberry/ics23), CVE-2022-39347 (Elderflower/AuthZ)
- **CVSS Score:** 9.1 (Critical) / 7.5 (High)
- **CWE:** CWE-347 (Improper Verification of Cryptographic Signature), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** Cosmos SDK, IBC-Go, and Interchain Accounts (ICA).
- **Versions:**
- **Dragonberry:** Cosmos SDK v0.42.0+; IBC-Go v1.0.0 through v5.0.0.
- **Elderflower:** Cosmos SDK v0.46.0 through v0.46.3.
- **Configurations:** Blockchains utilizing the `ics23` proof library or the `x/authz` module (specifically with the `MsgExec` message type).
## Vulnerability Description
**Dragonberry (ics23):** This flaw resides in the implementation of the ICS-23 specification, which defines a standard binary representation for Merkle proofs. The vulnerability allowed for "proof forging." Because IBC relies on these proofs to verify state across different chains, an attacker could present a malformed Merkle proof that would be accepted as valid. This allows for the falsification of state, such as claiming a token transfer occurred when it did not.
**Elderflower (AuthZ):** The `x/authz` module failed to perform `ValidateBasic()` checks on nested messages within a `MsgExec` transaction. In the Cosmos SDK, `ValidateBasic` is a stateless check used to ensure message integrity before processing. By omitting this, an attacker could submit messages that result in invalid state transitions, potentially leading to chain halts or unauthorized state manipulation.
## Exploitation
- **Status:** Not exploited in the wild (based on available forensics at the time of disclosure).
- **Complexity:** High (Dragonberry requires deep knowledge of Merkle tree structures; Elderflower requires specific message crafting).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** Low
- **Integrity:** Critical (Complete compromise of token accounting and escrow balances).
- **Availability:** High (Potential for chain consensus failure).
## Remediation
### Patches
- **Cosmos SDK:** Updated versions v0.45.9 and v0.46.4.
- **IBC-Go:** Updated versions v1.2.3, v1.3.1, v2.0.4, v2.1.2, v2.2.1, v3.0.1, v3.1.2, v3.2.1, v4.0.1, and v5.0.1.
- **ics23:** Upgrade to Go package `confio/ics23` v0.8.0.
### Workarounds
- **Dragonberry:** Governance-based disabling of IBC light clients or specific IBC paths (temporary).
- **Elderflower:** Restricting `MsgExec` through a temporary soft-fork or intercepting messages via a custom AnteHandler to enforce validation.
## Detection
- **Indicators of Compromise:** Discrepancies between IBC escrow account balances and the total supply of ported assets on the destination chain.
- **Detection methods and tools:** Monitoring for `MsgExec` transactions that contain nested messages which would normally fail `ValidateBasic` checks if submitted independently.
## References
- **Vendor advisories:** hxxps[://]forum[.]cosmos[.]network/t/ibc-security-advisory-dragonberry/7702
- **GitHub Advisory (Dragonberry):** hxxps[://]github[.]com/cosmos/cosmos-sdk/security/advisories/GHSA-9hv6-6mq8-9p6v
- **GitHub Advisory (Elderflower):** hxxps[://]github[.]com/cosmos/cosmos-sdk/security/advisories/GHSA-8pm4-7p76-vw66