GHSA-86h5-xcpx-cfqc
ASA-2024-005: Potential slashing evasion during re-delegation
Blast Radius
github.com/cosmos/cosmos-sdk🐹github.com/cosmos/cosmos-sdkReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
ASA-2024-005: Potential slashing evasion during re-delegation
Component: Cosmos SDK Criticality: Low Affected Versions: Cosmos SDK versions <= 0.50.4; <= 0.47.9 Affected Users: Chain developers, Validator and Node operators Impact: Slashing Evasion
Summary
An issue was identified in the slashing mechanism that may allow for the evasion of slashing penalties during a slashing event. If a delegation contributed to byzantine behavior of a validator, and the validator has not yet been slashed, it may be possible for that delegation to evade a pending slashing penalty through re-delegation behavior. Additional validation logic was added to restrict this behavior.
Next Steps for Impacted Parties
If you are a chain developer on an affected version of the Cosmos SDK, it is advised to update to the latest available version of the Cosmos SDK for your project. Once a patched version is available, it is recommended that network operators upgrade.
A Github Security Advisory for this issue is available in the Cosmos-SDK repository. For more information about Cosmos SDK, see https://docs.cosmos.network/.
This issue was found by cat shark (Khanh) who reported it to the Cosmos Bug Bounty Program on HackerOne on December 6, 2023. If you believe you have found a bug in the Interchain Stack or would like to contribute to the program by reporting a bug, please see https://hackerone.com/cosmos.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/cosmos/cosmos-sdk | ≥ 0.50.0&&< 0.50.5 | 0.50.5 |
| 🐹Go | github.com/cosmos/cosmos-sdk | all versions | 0.47.10 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/cosmos/cosmos-sdk. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/cosmos/cosmos-sdk to 0.50.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-86h5-xcpx-cfqc is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-86h5-xcpx-cfqc is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-86h5-xcpx-cfqc. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-86h5-xcpx-cfqc in your dependencies?
O3 detects GHSA-86h5-xcpx-cfqc across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.