Security flaw in Cosmos SDK may allow DDoS attacks

Blockchain security firm Oak Security has raised concerns about a vulnerability in the Cosmos chain software development kit (SDK) that could lead to a Distributed Denial of Service (DDoS) attack on the network. In a Medium post, two of the firm’s researchers, Edward Kotysh and Christian Vari, explained why this is a major risk.

According to the researchers, the vulnerability lies in the fact that the BeginBlock and EndBlock functions are not subject to gas metering. This is by design, as it enables developers to have some free computation time, as these two functions do not necessarily affect user transactions.

However, the security experts warned that what was meant to be a minor leeway for developers could actually cause significant damage to Cosmos-based networks in several ways. These include causing network congestion, affecting validators, or even leading to a complete outage.

They said:

“This freedom can be a double-edged sword, and it can open up a Pandora’s box of potential vulnerabilities. The main issue is that without gas limits, poorly optimized or malicious code in BeginBlock and EndBlock can really wreak havoc.”

The researchers tested their theories on the potential impact of the vulnerability by conducting experiments. In one of the experiments, they introduced randomized delays to the BeginBlock function at various block heights, with delays ranging from five seconds to one minute.

From the experiments, the experts confirmed that the delays led to substantial congestion in the network, slowing its progression and increasing the time needed to complete blocks. It also affected validators, with several of them failing to sign blocks at the required times and some missing voting phases completely.

Unsurprisingly, the limited number of validators available to sign transactions (less than two-thirds) meant that the test chain experienced temporary outages. The researchers noted that this could result in a complete outage on the mainnet itself, where there are several transactions happening at once that need to be finalized.

Oak Security recommends fixes for developers

Meanwhile, the security experts have recommended solutions to fix the vulnerability before a bad actor exploits it. According to them, there is a need to implement strict computation bounds so that even anyone cannot simply add any attack vector that will cause excessive computation.

They identified three different ways of implementing this solution. These include adding time complexity to the BeginBlock and EndBlock functions so they do not run indefinitely, context wrapping to keep resource-intensive operations into metered contexts, and validation of all inputs to the function.

Additionally, they called for more comprehensive testing and simulation to determine how the vulnerability could be exploited and the potential of its impact.

They also identified architectural safeguards and operational monitoring to ensure the networks operate by standard metrics and detect any significant deviation.

Cosmos SDK launches new version

Meanwhile, the Cosmos SDK has yet to comment on the security report and whether it will do anything to address the issue on their end. This might be because the identified vulnerability is actually a design feature and not a bug or malware, like recent security alerts on supply chain attacks.

Fortunately, developers using the Cosmos SDK can implement most of the recommendations from security experts, enabling them to take control of what they deploy and ensure it is not vulnerable to DDoS attacks.

Interestingly, Cosmos SDK recently launched its version v0.53.0. According to the announcement on X, the version is a response to the pain points that builders raised about the previous version.

The latest version reportedly comes with unordered transactions, improved capacities for community pools, custom governance mechanisms, epochs, and custom minting. It also comes with bug fixes, and developers can already upgrade to it on GitHub.

Cosmos SDK is a tool for developers to easily build their own customized network and integrate with the Cosmos blockchain, a network seeking to become the Internet of Blockchains.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot