Summary
Chains utilizing ibc-go v7.x.x and packet-forward-middleware v7.0.0 are susceptible to a vulnerability that can lead to a chain halt.
This is the PigeonFall public security disclosure. Prior, Strangelove contacted all known impacted chains, and those have been subsequently patched. It is unlikely that this affects your chain.
Vulnerability Details
The transfer module in ibc-go v7 introduces additional escrow balance accounting and adds an invariant check surrounding the expected balance within the transfer keeper key/value store compared with the actual balance of the escrow account. This escrow balance accounting was not taken into account in the v7.0.0 release. As a result, forwarded packets that fail due to either a receive error on the destination or a packet timeout will halt the chain if the invariant is registered.
Recommended Actions
We recommend that you apply the following patch to your chain, create a patch release, and ask validators to upgrade their binaries as soon as possible:
go get github.com/cosmos/ibc-apps/middleware/packet-forward-middleware/[email protected] && go mod tidy
Note: This upgrade can be applied without halting the chain. Validators do not need to apply the patch at the same block height.
You may optionally schedule an on-chain upgrade to roll out this patch, but it is not required since your chain would be halted by the consensus-breaking change if any forward failures had already occurred. Taking prompt action to roll this patch out to the validators will avoid the need to perform migrations to recover from the exploit.
Additional Information
For additional details or inquiries, please contact us at [email protected].
Summary
Chains utilizing ibc-go v7.x.x and packet-forward-middleware v7.0.0 are susceptible to a vulnerability that can lead to a chain halt.
This is the PigeonFall public security disclosure. Prior, Strangelove contacted all known impacted chains, and those have been subsequently patched. It is unlikely that this affects your chain.
Vulnerability Details
The transfer module in ibc-go v7 introduces additional escrow balance accounting and adds an invariant check surrounding the expected balance within the transfer keeper key/value store compared with the actual balance of the escrow account. This escrow balance accounting was not taken into account in the
v7.0.0release. As a result, forwarded packets that fail due to either a receive error on the destination or a packet timeout will halt the chain if the invariant is registered.Recommended Actions
We recommend that you apply the following patch to your chain, create a patch release, and ask validators to upgrade their binaries as soon as possible:
Note: This upgrade can be applied without halting the chain. Validators do not need to apply the patch at the same block height.
You may optionally schedule an on-chain upgrade to roll out this patch, but it is not required since your chain would be halted by the consensus-breaking change if any forward failures had already occurred. Taking prompt action to roll this patch out to the validators will avoid the need to perform migrations to recover from the exploit.
Additional Information
For additional details or inquiries, please contact us at [email protected].