CVE-2021-41135 : What You Need to Know

The Cosmos-SDK framework for building blockchain apps in Golang contained a vulnerability in the x/authz module, potentially leading to a consensus halt.

Understanding CVE-2021-41135

What is CVE-2021-41135?

The vulnerability in the Authz module of Cosmos-SDK could allow an attacker to halt a blockchain by exploiting non-deterministic behavior in the ValidateBasic method.

The Impact of CVE-2021-41135

The vulnerability could lead to a consensus halt on any chain running the affected version with the Authz module enabled, requiring a patch and block rollback.

Technical Details of CVE-2021-41135

Vulnerability Description

Non-deterministic behavior in Grant.ValidateBasic method of Authz module
Comparing user-defined expiration time to local clock time

Affected Systems and Versions

Product: cosmos-sdk
Vendor: cosmos
Versions affected: >=0.43.0, <0.44.2

Exploitation Mechanism

Attacker with transaction sending ability can halt affected chains

Mitigation and Prevention

Immediate Steps to Take

Update to version 0.44.2 to mitigate the vulnerability

Long-Term Security Practices

Regularly update software to latest versions
Implement security best practices to prevent future vulnerabilities

Patching and Updates

Apply provided patch to fix the non-deterministic behavior