The initial version of the ASA-2024-003 advisory (now amended) demonstrates a vulnerability in x/auth/vesting that allows a malicious actor to call SetAccount for uninitialized module accounts. This is problematic because module accounts should be initialized with SetModuleAccount, not SetAccount.

If the above happens, the chain will halt due to a panic when GetModuleAccount is called during ABCI instances (e.g., BeginBlocker).

Upon inspection, two other instances allow calling SetAccount for uninitialized module accounts:

1. MsgGrant in x/authz
   • https://github.com/cosmos/cosmos-sdk/blob/f63e5fdf7c96bed01e7a40a0f993005dbbb78444/x/authz/keeper/msg_server.go#L39-L43
2. MsgGrantAllowance in x/feegrant
   • https://github.com/cosmos/cosmos-sdk/blob/f63e5fdf7c96bed01e7a40a0f993005dbbb78444/x/feegrant/keeper/keeper.go#L53-L57

This issue is reported to the Cosmos bug bounty program and subsequently fixed by ensuring the recipient is not BlockedAddr:

• https://github.com/cosmos/cosmos-sdk/pull/20114/files#diff-ed6790845ce1230d83f20728698df9b60e3ec550940dd4938a2778aca3fa72bbR24
• https://github.com/cosmos/cosmos-sdk/pull/20114/files#diff-a04cfaaca6c6fcf9f0efc633f61c572aace0f8f6ee33550eb7b079b89d99c36bR55

Finally, the advisory is amended in the Addendum section to include the instances mentioned above.

• https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-4j93-fm92-rp4m