Skip to content

Barberry Security Advisory - regarding x/auth periodic vesting accounts

Moderate severity GitHub Reviewed Published Jul 7, 2023 in cosmos/cosmos-sdk • Updated Jul 14, 2023

Package

gomod github.com/cosmos/cosmos-sdk (Go)

Affected versions

>= 0.46.0, <= 0.46.12
>= 0.47.0, <= 0.47.2

Patched versions

0.46.13
0.47.3

Description

Impact

In PeriodicVestingAccount, defined in x/auth, an attacker can initialize a victim's account as a malicious vesting account, which allows deposits but does not allow withdrawals. When the user then deposits funds into their account, those funds are locked forever, and the user is not able to withdraw them.

Patches

>= v0.46.13 for Cosmos SDK v0.46.x
>= v0.47.3 for Cosmos SDK v0.47.x

If a network backported periodic vesting accounts to earlier versions of the SDK, those networks are affected too.

Workarounds

There is no workaround for this issue. Upgrade immediately.

References

References

@greg-szabo greg-szabo published to cosmos/cosmos-sdk Jul 7, 2023
Published to the GitHub Advisory Database Jul 7, 2023
Reviewed Jul 7, 2023
Last updated Jul 14, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-j2cr-jc39-wpx5

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.