Barberry Security Advisory - regarding x/auth periodic vesting accounts
Package
Affected versions
>= 0.46.0, <= 0.46.12
>= 0.47.0, <= 0.47.2
Patched versions
0.46.13
0.47.3
Description
Published to the GitHub Advisory Database
Jul 7, 2023
Reviewed
Jul 7, 2023
Last updated
Jul 14, 2023
Impact
In
PeriodicVestingAccount
, defined inx/auth
, an attacker can initialize a victim's account as a malicious vesting account, which allows deposits but does not allow withdrawals. When the user then deposits funds into their account, those funds are locked forever, and the user is not able to withdraw them.Patches
>= v0.46.13 for Cosmos SDK v0.46.x
>= v0.47.3 for Cosmos SDK v0.47.x
If a network backported periodic vesting accounts to earlier versions of the SDK, those networks are affected too.
Workarounds
There is no workaround for this issue. Upgrade immediately.
References
References