Full Report
In the Cosmos SDK, a vesting account is a type of account whose coins are locked for some vesting schedule. A periodic vesting account will give out funds at defined intervals. A clawback account has an additional locking period, after which the vesting funds are received. Both periodic and clawback accounts do not validate their input upon account creation. The code fails to validate that the amount in each vesting period is positive. There are several variants of the input validation being missing here in forks of the Cosmos SDK as well. So, what's the impact? Initialize a vesting account but make the funds impossible to withdraw. By adding negative token amounts such as -1stake, the validation of the bank module to ensure a user isn't overdrawing amounts will panic. To make this work, the authors claim that you would want to see a new account being created, frontrun it and poison it. This account can now receive funds back it cannot take them out. Frontrunning is unlikely to occur in Cosmos but is technically possible. To fix the bug, simply validate that all amounts are positive. Overall, a good read and learning into vesting accounts in the Cosmos SDK.
Analysis Summary
# Vulnerability: Permanent Fund Lockage via Invalid Vesting Account Creation in Cosmos SDK
## CVE Details
- CVE ID: Not explicitly provided in the text (Cosmos SDK Security Advisory was codenamed "Barberry")
- CVSS Score: Not provided
- CWE: CWE-20 (Improper Input Validation)
## Affected Systems
- Products: Cosmos SDK and derived application chains utilizing the vesting module (PeriodicVestingAccount or ClawbackVestingAccount).
- Versions: Cosmos SDK v0.46 and v0.47 are specifically mentioned as containing the vulnerable code paths. Earlier than v0.46 are mentioned as not exploitable via this method because vesting accounts could only be created at Genesis.
- Configurations: Any chain using a vulnerable version of the SDK that enables the vesting module. Affected chains mentioned include **Cronos, Iris, Kava, Kyve, Lum, Provenance, Quicksilver, Regen, Stride, Umee, Agoric, Evmos, and Osmosis** (or forks thereof).
## Vulnerability Description
Both `PeriodicVestingAccount` and `ClawbackVestingAccount` creation logic fails to validate that the token amount associated with each vesting period is positive. An attacker can create a vesting account using a transaction that specifies negative token amounts (e.g., `-1stake`) for one or more vesting periods. While the standard bank module validation might panic if an attacker immediately attempts to draw funds exceeding the balance, the key exploit vector relies on **front-running** the deposit into this poisoned account.
The poisoned account can still receive initial funding (including the attacker's intended deposit or a subsequent victim's deposit, by front-running the victim's deposit transaction). However, due to the negative vesting amounts specified during creation, the internal logic calculates the spendable amount such that even vested funds cannot be withdrawn, permanently locking any deposited tokens.
## Exploitation
- Status: Proof-of-Concept (PoC) available, but exploitation in the wild requires front-running.
- Complexity: Medium. The exploit requires meticulous timing to front-run a deposit transaction directed to a newly created, poisoned address before that transaction completes.
- Attack Vector: Network.
### Impact
- Confidentiality: No direct impact.
- Integrity: High. Funds are permanently locked and made unusable in the targeted account.
- Availability: High. Funds deposited into the poisoned account become permanently unavailable for the account owner.
## Remediation
### Patches
* **Cosmos SDK:** Patches were released for:
* v0.46.13
* v0.47.3
* The required fix is to implement validation ensuring all amounts within vesting periods are strictly positive during account creation.
### Workarounds
* No explicit workaround was detailed, but the nature of the fix implies that chains must ensure they upgrade to patched SDK versions to prevent the creation of accounts with invalid vesting schedules.
## Detection
- **Indicators of Compromise (IoC):** Observation of vesting accounts created where the sum of positive amounts in periods is less than the total initial deposit, or where any individual vesting period amount is zero or negative.
- **Detection Methods and Tools:** Auditing account creation transactions related to vesting accounts for invalid period inputs.
## References
- Cosmos SDK Security Advisory: barberry (forum link: hxxps://forum.cosmos.network/t/cosmos-sdk-security-advisory-barberry/10825)
- PoC for Cosmos SDK variant: hxxps://gist.github.com/dimakogan/05cde1fd7468f6454f2c87f619507aa0
- PoC for Agoric/Evmos/Osmosis variant: hxxps://gist.github.com/dimakogan/c629aa5bb014f3b2ab39a9e0d29e3497
- Cosmos SDK v0.46.13 Release Notes: hxxps://github.com/cosmos/cosmos-sdk/blob/d4b7164de5d8391e6aa644d8ea84e07396dd9653/RELEASE_NOTES.md#cosmos-sdk-v04613-release-notes
- Cosmos SDK v0.47.3 Release Notes: hxxps://github.com/cosmos/cosmos-sdk/blob/cfc757dc5043fb2758c47c146d2912fd010c1a45/RELEASE_NOTES.md#cosmos-sdk-v0473-release-notes