Full Report
The video explores the Cosmos SDK and highlights some of the key security considerations. The person giving the talk is a protocol engineer at Osmosis, a very prominent blockchain in the web3 space. The Cosmos SDK provides developers with significantly more control over the environment in which they work. Many of the issues surrounding Cosmos SDK chains stem from a central concept: "with great power comes great responsibility." With general-purpose smart contract platforms, many of the issues are taken care of for you. For instance, smart contracts will price you for each instruction that is executed. They also handle panics for you. In the world of the Cosmos SDK, this is not the case; all of this needs to be manually considered for each blockchain. In the BeginBlocker/Endblocker, the code is free of most restrictions. There is no gas; there is no timeouts; there is no panic handlers. So, ensuring that a Golang Panic doesn't occur in this section of code by a malicious adversary is essential. It's common for projects to have generic panic handlers to deal with this. Unbounded operations cannot exist here. Apparently, it's common for a sudo call to CosmWasm to a user-controlled contract to be called. Since there is no gas limit, a user can run an infinite loop, allowing this process to continue indefinitely. Simply adding a gas meter on user-controlled operations is a wise move. Another big one is non-determinism issues. This just means code that may run differently on someone else's machine, leading to a consensus failure. Things like time-based checks, random number generators, floats and Go iteration over maps are not guaranteed to give the same result. The main solution is just to not use functionality that does these things. Most L1 handles fees for you. In Cosmos, you can create your own fee markets. For instance, you can make execution free or free in specific scenarios. However, it's important to recognize the ability to exploit this - if you can infinitely add TXs for nothing then an attacker can halt the chain. Overall, a good video from a knowledge developer/auditor. It's interesting because most of these issues stem from real world issues found on Osmosis.
Analysis Summary
# Best Practices: Cosmos SDK Chain Security
## Overview
These practices address the unique security challenges of building sovereign blockchains using the Cosmos SDK. Unlike general-purpose smart contract platforms (like Ethereum) that provide built-in sandboxing, gas metering, and error handling, the Cosmos SDK grants developers low-level control. This "great power" necessitates manual implementation of security guardrails to prevent chain halts, consensus failures, and state machine exploits.
## Key Recommendations
### Immediate Actions
1. **Implement Generic Panic Handlers:** Wrap high-risk modules and execution blocks in `recover()` functions to prevent a single node panic from crashing the entire network.
2. **Audit BeginBlocker/EndBlocker:** Review all code within these functions for unbounded loops or logic that lacks gas constraints, as these run outside the normal transaction lifecycle.
3. **Sanitize Go Map Iteration:** Replace standard map iterations with sorted keys if the output affects the state, ensuring deterministic execution across all nodes.
4. **Enforce Basic Fee Floors:** Ensure no transaction type is completely "free" without strict rate-limiting to prevent spam-based Denial of Service (DoS).
### Short-term Improvements (1-3 months)
1. **Integrate Gas Meters for Sudo Calls:** When a module executes a "sudo" call to a CosmWasm contract, manually initialize and attach a `GasMeter` to limit execution time/resources.
2. **Deterministic Logic Review:** Remove all usage of floating-point math (`float32/64`), system time (`time.Now()`), and non-seeded random number generators in state-transition logic.
3. **Resource Profiling:** Establish benchmarks for block execution time to identify "heavy" transactions that could be used to stall the network.
### Long-term Strategy (3+ months)
1. **Custom Fee Market Modeling:** Design a robust fee market that dynamically adjusts based on network congestion to mitigate sophisticated halting attacks.
2. **Automated Determinism Testing:** Integrate "simulation testing" into the CI/CD pipeline that runs the same state transitions on different architectures to detect non-determinism early.
3. **Formal Verification of Core Modules:** Apply formal methods to critical modules (like Staking or Slashing) where logic errors could lead to catastrophic fund loss.
---
## Implementation Guidance
### For Small Organizations
- **Focus on Defaults:** Stick to standard SDK modules as much as possible.
- **Panic Safety:** Prioritize adding panic recovery to any custom `BeginBlocker` logic.
### For Medium Organizations
- **Internal Audits:** Conduct peer reviews specifically focusing on the "Cosmos SDK Gotchas" (e.g., map iteration and gas-free zones).
- **Monitoring:** Implement alerting for nodes that fall out of consensus due to app-hash mismatches.
### For Large Enterprises
- **Multi-Architecture Testing:** Run validator nodes on different CPU architectures (ARM/x86) in a testnet to flush out floating-point or OS-specific non-determinism.
- **Custom Gas Middleware:** Develop modular middleware to inject gas costs into third-party integrations automatically.
---
## Configuration Examples
**Manual Gas Metering for CosmWasm Sudo Calls:**
go
// Example logic for protecting a Sudo call
func CustomSudo(ctx sdk.Context, contractAddr sdk.AccAddress, msg []byte) {
// 1. Define a safety limit
limit := uint64(1000000)
// 2. Create a sub-context with a resource limit
cacheCtx, commit := ctx.CacheContext()
cacheCtx = cacheCtx.WithGasMeter(sdk.NewGasMeter(limit))
// 3. Execute with recovery
defer func() {
if r := recover(); r != nil {
// Log panic and don't commit state
}
}()
// 4. Call VM (e.g., Wasmd)
err := k.waspKeeper.Sudo(cacheCtx, contractAddr, msg)
if err == nil {
commit() // Only commit if successful and within gas
}
}
---
## Compliance Alignment
- **NIST SP 800-192:** Verification of Access Control Tokens (relevant to Sudo and custom permissions).
- **CIS Software Benchmarks:** Guidance on input validation and resource management.
- **ISO/IEC 27001:** Specifically regarding non-repudiation and system integrity (Consensus determinism).
---
## Common Pitfalls to Avoid
- **The "Free" Transaction Trap:** Creating a bypass for fees (e.g., for governance or oracles) without implementing an alternative "cost" like rate-limiting or reputation requirements.
- **Iterating over Go Maps:** Directly using `for k, v := range myMap` and writing the result to the blockchain state. This *will* lead to a chain halt eventually.
- **Floating Point Math:** Using `float64` for rewards calculations; different CPUs handle rounding differently, leading to "AppHash" mismatches between validators.
- **Unbounded Loops in EndBlocker:** Allowing a list (like a list of all delegators) to grow indefinitely and iterating over it every block will eventually exceed the block time.
---
## Resources
- **Cosmos SDK Documentation:** hxxps[://]docs[.]cosmos[.]network/
- **CosmWasm Security Best Practices:** hxxps[://]book[.]cosmwasm[.]com/basics/security[.]html
- **CometBFT (formerly Tendermint) Determinism Guide:** hxxps[://]docs[.]cometbft[.]com/
- **Defanged Dev Tools:** `cosmos-sdk-iavl-viewer` for state inspection.