The initial version of the ASA-2024-003 advisory (now amended) demonstrates a vulnerability in x/auth/vesting
that allows a malicious actor to call SetAccount
for uninitialized module accounts. This is problematic because module accounts should be initialized with SetModuleAccount
, not SetAccount
.
If the above happens, the chain will halt due to a panic when GetModuleAccount
is called during ABCI instances (e.g., BeginBlocker
).
Upon inspection, two other instances allow calling SetAccount
for uninitialized module accounts:
MsgGrant
in x/authz
MsgGrantAllowance
in x/feegrant
This issue is reported to the Cosmos bug bounty program and subsequently fixed by ensuring the recipient is not BlockedAddr
:
Finally, the advisory is amended in the Addendum
section to include the instances mentioned above.