Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

πŸ›‘οΈ Barberry issue unresolved due to faulty upstream #621

Closed
ccamel opened this issue May 15, 2024 · 0 comments Β· Fixed by #645
Closed

πŸ›‘οΈ Barberry issue unresolved due to faulty upstream #621

ccamel opened this issue May 15, 2024 · 0 comments Β· Fixed by #645
Assignees
Labels
security audit Categorizes an issue or PR as relevant to Security Audit

Comments

@ccamel
Copy link
Member

ccamel commented May 15, 2024

Note

Severity: Medium
target: v7.1.0 - Commit: 3c854270b006db30aa3894da2cdba10cc31b8c5f
Ref: OKP4 Blockchain Audit Report v1.0 - 02-05-2024 - BlockApex

Description

During the audit of the Okp4d blockchain, a critical observation was made concerning the blockchain's use of a customized implementation of the cosmos-sdk’s vesting module. The go.mod file in the okp4d repository is configured to link to okp4d/x/vesting rather than the standard cosmossdk/x/auth/vesting. This configuration oversight meant that while the CHANGELOG.md suggests updates to cosmos-sdk version 0.47.3 for critical patches (including a patch for the "Barberry" issue) and later to version 0.50.4, these updates were not fully integrated into the actual codebase.

The core of the issue lies not just in the module reference but in the approach to maintaining the custom module. When the "Barberry" issue was addressed in the cosmos-sdk, the necessary patches were not manually integrated into Okp4d's customvesting module. This misstep suggests a misunderstanding of how dependency management should align with the actual code enhancements made in the upstream cosmos-sdk. It's essential to note that while the patchwas intended to resolve a significant vulnerability, our testing on the okp4d's internal testnet using the exact attack scenario provided by the patch demonstrated that the vulnerability still persists, indicating an incomplete resolution.

Impact

The persistence of the "Barberry" vulnerability despite the reported updates has serious implications. By successfully executing the attack scenario provided, which ideally should have failed if the patch were effective, it was confirmed that the vulnerability remains exploitable. This situation exposes the network to potential security risks that could be leveraged by malicious actors to compromise the integrity of the blockchain. The effective management of such vulnerabilities is crucial for maintaining trust and security within the network infrastructure.

Recommandation

To rectify this oversight, it is crucial for the development team to implement a more robust process for integrating patches and updates. The Okp4d blockchain should not only pull updates from the cosmos-sdk but must also ensure that any custom modules, such as okp4d/x/vesting, are manually updated to reflect these changes.

References

@ccamel ccamel added the security audit Categorizes an issue or PR as relevant to Security Audit label May 15, 2024
@github-project-automation github-project-automation bot moved this to πŸ“‹ Backlog in πŸ’» Development May 15, 2024
@github-project-automation github-project-automation bot moved this to πŸ“‹ Backlog in πŸ’» Development May 15, 2024
@ccamel ccamel moved this from πŸ“‹ Backlog to πŸ“† To do in πŸ’» Development May 15, 2024
@ccamel ccamel moved this from πŸ“† To do to πŸ— In progress in πŸ’» Development May 21, 2024
@github-project-automation github-project-automation bot moved this from πŸ— In progress to βœ… Done in πŸ’» Development May 22, 2024
@github-project-automation github-project-automation bot moved this from πŸ“‹ Backlog to βœ… Done in πŸ’» Development May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security audit Categorizes an issue or PR as relevant to Security Audit
Projects
Status: βœ… Done
Development

Successfully merging a pull request may close this issue.

2 participants