🛡️ValidateVoteExtensions helper function may allow incorrect voting power assumptions

[ccamel]

Note

Severity: Info
target: v7.1.0 - Commit: 3c854270b006db30aa3894da2cdba10cc31b8c5f
Ref: OKP4 Blockchain Audit Report v1.0 - 02-05-2024 - BlockApex

Description

During the course of the audit an advisory "ASA-2024-006: ValidateVoteExtensions helper function may allow incorrect voting power assumptions" was published by cosmos-sdk. The issue states that "the default ValidateVoteExtensions helper function infers total voting power based off of the injected VoteExtension, which are injected by the proposer."

We verified that okp4d currently does not utilize the vote extensions but if in future the blockchain utilizes the ValidateVoteExtensions helper in ProcessProposal, a dishonest proposer can potentially mutate voting power of each validator it includes in the injected VoteExtension, which could have potentially unexpected or negative consequences on modified state.

Recommandation

It is advised to update the cosmos-sdk version to v0.50.5, if in future vote extensions are enabled and validateVoteExtension() is used then in that case this bug shouldn't get activated.

References

• ASA-2024-006: ValidateVoteExtensions helper function may allow incorrect voting power assumptions

[bdeneux]

Fixed by #642

[amimart]

Fixed by #642

Yep! Closing it :)