'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
ZetaChain Disclosed Report
Bug bounty report ZetaChain Blockchain SoftwareCosmos SDK: Transaction Decoding Vulnerabilities (ASA-2024-0012 & ASA-2024-0013) – High Severity
Target
https://github.com/zeta-chain/go-tss
Vulnerability Details
Summary
A critical vulnerability has been identified in ZetaChain, an EVM-compatible L1 blockchain that connects various ecosystems, originating from its reliance on the Cosmos SDK. This issue enables unsafe transaction decoding, which can lead to stack overflow (ASA-2024-0012) or resource exhaustion (ASA-2024-0013). Exploiting this flaw could disrupt ZetaChain’s node software, impacting network consensus, internal transactions, cross-chain functionality, and staking operations.
Finding Description
Vulnerability 1: ASA-2024-0012 (Stack Overflow)
-
Description: ZetaChain’s usage of Cosmos SDK inherits a vulnerability where deeply nested packets during decoding can trigger a stack overflow. Without enforced recursion depth limits, attackers can craft malicious payloads that exploit this flaw, causing node crashes and denial of service.
-
Code Location: Vulnerability resides in the packet decoding mechanism:
err := codec.UnmarshalJSON(data, &someStruct) if err != nil { return err }Excessive nesting in payloads causes stack overflow due to unbounded recursion.
Vulnerability 2: ASA-2024-0013 (Resource Exhaustion)
-
Description: Nested messages in transactions processed by ZetaChain’s Cosmos SDK dependency can cause exponential CPU and memory usage. Malicious actors could exploit this by submitting deeply nested transactions, overwhelming the system.
-
Code Location: Unpacking interfaces without validation creates resource exhaustion risks:
err := someStruct.UnpackInterfaces(unpacker) if err != nil { return err }
Impact Explanation
Severity: Critical
ASA-2024-0012 (Stack Overflow):
- Impact: Exploitation can lead to complete node crashes and halt network consensus, disrupting ZetaChain’s ability to process internal and cross-chain transactions. This aligns with the impact scope:
- "Network not being able to confirm new transactions (total network shutdown)."
- "Unintended permanent chain split requiring hard fork."
ASA-2024-0013 (Resource Exhaustion):
- Impact: Malicious transactions could cause critical resource exhaustion, leading to widespread validator downtime and reduced decentralization. This aligns with the impact scope:
- "Causing network processing nodes to process transactions from the mempool beyond set parameters."
- "Shutdown of greater than or equal to 30% of network processing nodes without brute force actions."
Likelihood Explanation
Given the reliance of ZetaChain’s infrastructure on Cosmos SDK, this vulnerability is likely exploitable in its current implementation. The absence of depth and resource validation mechanisms increases the risk of exploitation.
Proof of Concept
https://dailycve.com/cosmos-sdk-transaction-decoding-vulnerabilities-asa-2024-0012-asa-2024-0013-high-severity/ https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm
ASA-2024-0012:
A crafted transaction payload with excessive nested data can be submitted via the following steps:
- Generate a payload with deeply nested JSON data.
- Submit the transaction to a node processing transactions.
- Observe the crash due to stack overflow.
ASA-2024-0013:
- Craft a transaction with recursive nested messages.
- Submit the transaction repeatedly to overwhelm node resources.
- Monitor resource exhaustion and node crashes.
Recommendation
- Mitigation: Upgrade to Cosmos SDK versions
v0.47.15orv0.50.11, which address these vulnerabilities by adding recursion depth limits and enhanced resource validation. - Validation: Conduct rigorous testing to ensure deep nesting and excessive unpacking are handled gracefully.
- Monitoring: Implement monitoring tools to detect abnormal transaction patterns, CPU usage, and memory consumption.
Validation steps
Proof of Concept
https://dailycve.com/cosmos-sdk-transaction-decoding-vulnerabilities-asa-2024-0012-asa-2024-0013-high-severity/ https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-8wcc-m6j2-qxvm
ASA-2024-0012:
A crafted transaction payload with excessive nested data can be submitted via the following steps:
- Generate a payload with deeply nested JSON data.
- Submit the transaction to a node processing transactions.
- Observe the crash due to stack overflow.
ASA-2024-0013:
- Craft a transaction with recursive nested messages.
- Submit the transaction repeatedly to overwhelm node resources.
- Monitor resource exhaustion and node crashes.
Details 
Participants (2) 
