As one of the largest and most well-known blockchain ecosystems in the world, the Cosmos ecosystem focuses on improving blockchain interoperability and achieving efficient interoperability between different blockchains. Cosmos provides developers with a modular Cosmos SDK to help developers quickly build blockchains dedicated to specific applications. Many applications, including the widely watched dYdX V4, are built based on this. Therefore, security issues in the Cosmos ecosystem often have widespread impact. For example, the Dragonfruit vulnerability that occurred in the Cosmos SDK affected the normal operation of multiple mainstream public chains, causing chain developers to have to suspend the normal operation of the chain to take vulnerability repair measures. The Cosmos Ecosystem Security Guide released by the CertiK research team comprehensively analyzes the security status of key components in the Cosmos ecosystem, summarizes and categorizes previously discovered security vulnerabilities, and summarizes common vulnerability models and audit ideas for Cosmos ecosystem developers and users. and security issues that need to be focused on to help improve the security level of the Cosmos ecosystem and the entire blockchain industry.
Due to the decentralized nature of the basic components of the Cosmos ecosystem, chain developers need to use or expand different components according to different functional requirements, resulting in a diversity of ecological security issues. This report is not only an analysis of previous major security vulnerabilities, but also classifies some common security vulnerabilities according to the cause, effect, code location, etc., in the form of a security manual to provide maximum security guidance for Cosmos ecosystem developers, and for related Security Auditors provide a way to learn and audit Cosmos security issues.
Currently, the most commonly used basic components by developers in the Cosmos ecosystem are the Cosmos SDK and the IBC protocol (The Inter-Blockchain Communication protocol). These two components are also the most commonly used components by developers to extend and add the logic of the chain itself.
For the Cosmos SDK, considering the degree of danger and scope of impact, we mainly focus on Critical and Major security vulnerabilities, which can usually cause the following risks:
1. The chain stops running
2. Loss of funds
3. Affect system status or normal operation
The causes of these dangers are often the following types of security vulnerabilities:
1. Denial of service
2. Wrong status settings
3. Verification is missing or unreasonable
4. Uniqueness problem
5. Consensus algorithm issues
6. Logical loopholes in implementation
7. Language characteristics issues
For IBC, common vulnerability categories are as follows:
1. Naming vulnerability
String handling vulnerability
Bytecode processing vulnerability
2. Vulnerabilities in the transmission process
Packet order vulnerability
Packet timeout vulnerability
Packet Authentication Vulnerability
Other packet vulnerabilities
3. Logic loopholes
Status update vulnerability
Vulnerabilities such as voting consensus
Other logic holes
4. Gas consumption vulnerability
Although security issues on Cosmos are diverse, from a positive perspective, the development process related to the Cosmos ecosystem is gradually standardized, so the security objects and attack entrances involved are more certain, thus providing Cosmos ecological security auditors with audit ideas for the chain. Provides a clearer framework. With the vision of improving the security of the Cosmos ecosystem, the Cosmos Ecosystem Security Guide will analyze these security scenarios in detail. For details, you can download the research report to read.
The CertiK team has been committed to helping improve the security of Cosmos and the entire Web3 ecosystem through continuous research and excavation, and will regularly output various project security reports and technical research. Welcome everyone to continue to pay attention! If you have any questions, you can contact us at any time.
Read and download the full report:https://indd.adobe.com/view/91035407-4f21-4383-9485-a56394d9f95f
Official account link:https://mp.weixin.qq.com/s/RFHGOZNKMYCJ6ntvCNokFQ
