Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The staking module is at the core of the Cosmos SDK ecosystem. If the security of this can be broken, then all is lost.

The economic security of the Cosmos SDK relies on four related concepts: bonding, unbonding and delegation and redelegation. Within the framework, there are only a set amount of validators at a time. So, users can delegate their funds to a validator.

Bonding is the process of committing the chains token as a mechanism of proof of stake. Once bonded, it takes 21 days to unbond. To improve the quality of life for delegators, if the delegated validator was not in the active set, they could instantly unbond without the 21 day wait.

Using a combination of features, there is a logical bypass to instantly unbound without any consequence. First, redelegate your funds from a bonded to a non-bonded validator. Next, unbond your funds from the validator, which works because they are not in the active set. Put plainly, it's super simple but was hidden beneath a ton of features.

Why is this bad? The entire economic security of the Cosmos SDK relies on the assumption that this cannot happen! As an example, an attacker could vote in a Governance proposal and the immediately unbond to use the funds.

While reviewing the issue, they noticed several occurrences of this happening on the Cosmos Hub. Some of them were the reporter testing out the issue but many were live exploits. This means that a bug collision existed and that somebody was abusing the vulnerability for their own gain. Yikes!

The author wrote up some notes on the remediation process in the code but also the coordination with the affected parties. Being able to notify all of the different blockchains is an important yet difficult problem to solve. Overall, an awesome post on a simple yet deep vulnerability.