axone-protocol/axoned

🛡️ Potential slashing evasion during re-delegation

Closed this issue · 2 comments

Note

Severity: High
target: v7.1.0 - Commit: 3c854270b006db30aa3894da2cdba10cc31b8c5f
Ref: OKP4 Blockchain Audit Report v1.0 - 02-05-2024 - BlockApex

Description

During our review of the okp4d (now axoned) blockchain, a significant vulnerability was detected in the staking module of the cosmos-sdk version v0.50.4, which is currently deployed in okp4d. This critical flaw is associated with the possibility of slashing evasion during re-delegation events. As detailed in the security advisory, the vulnerability stems from a flaw in the slashing mechanism which could potentially allow delegations involved in byzantine behavior to evade slashing penalties if the validator has not yet been slashed and is subjected to re-delegation. This issue was identified and rectified in the subsequent cosmos-sdk release (v0.50.5).

To thoroughly assess the severity and real-time implications of this vulnerability on the okp4d blockchain, we executed internal tests using the test case scenarios available in the okp4d repository. Our findings confirm that the vulnerability is indeed exploitable under the current configuration, which underscores the importance of swiftly updating the blockchain dependencies to safeguard against such potential exploits.

Recommandation

To mitigate this risk, we recommend that okp4d promptly upgrade to cosmos-sdk v0.50.5.

References

cosmos-sdk has been updated to v0.50.6. See #642

cosmos-sdk has been updated to v0.50.6. See #642

All good :)