Full Report
A vulnerability in the Cosmos SDK group module led to a chain panic. It's well known that an error or panic in the either the begin blocker or the end blocker in Cosmos results in a chain halt. From reading the patch, it appears that the only real change that was made was around error handling. If a call to k.Tally was made with an error, then an error used to be returned. If you follow this up the call chain, then this results in an error being returned to the EndBlocker call. I'm unsure exactly what error could have resulted in this. If this were me, I would have saw the potential for a DoS in the EndBlocker and then looked for ways to trigger an error within the processing of a group. To remediate the issue, the function doesn't return an error. Instead, it just prunes the votes, sets the status to rejected, and emits an event.
Analysis Summary
# Vulnerability: Cosmos SDK x/group Module Chain Halt via EndBlocker Error
## CVE Details
- CVE ID: Not assigned at time of advisory (Reference GHSA-47ww-ff84-4jrg)
- CVSS Score: High (Specific score not provided, but criticality is rated High)
- CWE: Potential CWE-754 (Improper Handling of Exceptional Conditions) or CWE-477 (Improper Neutralization of Special Elements in Output Used by a Web Page Subsystem) associated with halting behavior.
## Affected Systems
- Products: Cosmos SDK chains utilizing the `x/group` module.
- Versions: `<= v0.47.16` and `<= v0.50.12`
- Configurations: Any chain using the `x/group` module on these affected versions.
## Vulnerability Description
A vulnerability exists in the `x/group` module where an error during the `k.Tally` call within the processing chain could propagate to the `EndBlocker`. In the vulnerable implementation, returning an error from this path in the EndBlocker resulted in a chain halt/panic, leading to a Denial of Service (DoS). The fix involves changing the error handling: instead of returning the error up the call chain, the function now prunes the associated votes, sets the group proposal status to 'rejected', and emits an event, thus preventing the chain halt.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but the mechanism to trigger chain halts is present.
- Complexity: Likely Low, as the flaw stems from how state transitions are handled internally upon an error within a standard module processing flow (like group voting tally). Malicious proposals targeting the group module could trigger this.
- Attack Vector: Network (via submitting malicious group proposals/votes).
## Impact
- Confidentiality: No direct impact stated.
- Integrity: High (Ability to halt the chain impacts state finality, though data integrity seems preserved by rejecting the proposal).
- Availability: High (The primary impact is the complete halt/panic of the blockchain, leading to a Denial of Service).
## Remediation
### Patches
- Upgrade to Cosmos SDK **v0.47.17** or newer.
- Upgrade to Cosmos SDK **v0.50.13** or newer.
### Workarounds
- There are no known workarounds. Immediate patching/upgrading is advised.
## Detection
- **Indicators of Compromise:** Observation of chain halts specifically occurring during block processing steps involving the `x/group` module, particularly during or immediately after a proposal tallying phase in EndBlock.
- **Detection Methods and Tools:** Monitoring chain state transition logs for critical errors originating near the EndBlocker execution context involving the `x/group` module, or monitoring for unexpected chain halts not attributable to standard protocol downtime.
## References
- Vendor Advisories: ISA-2025-002: x/group can halt when erroring in EndBlocker (GitHub Advisory GHSA-47ww-ff84-4jrg)
- Relevant links - defanged:
- `hXXps://github[.]com/cosmos/cosmos-sdk/security/advisories/GHSA-47ww-ff84-4jrg`
- `hXXps://hackerone[.]com/cosmos`