GHSA-6wxf-7784-62fp: 
vulnerability analysis and mitigation

A critical vulnerability was discovered in Horcrux, a validator software, affecting versions v3.1.0 through v3.3.1. The vulnerability (GHSA-6wxf-7784-62fp) was introduced in July 2023 and allowed for potential double-signing of blockchain transactions due to a race condition in signature state handling. The issue was discovered after a validator experienced a double-signing incident on March 6, 2025, on the Osmosis network (GitHub Advisory).

The vulnerability stemmed from a race condition in the signature state handling code where two sign requests arriving simultaneously for the same Height-Round-Step (HRS) could proceed concurrently due to a split read-write lock pattern. The HRSKey() method used a read lock to check the current signature state, while the cacheAndMarshal() method used a separate write lock to update the state. This non-atomic operation allowed concurrent signature requests to pass initial safety checks before state updates, leading to double signatures. The issue manifested when two different signatures were produced within 1.5 milliseconds of each other, as evidenced in the logs (GitHub Advisory).

The vulnerability resulted in one known validator (01node) being affected, leading to a 5% slash penalty of approximately 75,000 OSMO (valued at $20,000 USD) on the Osmosis network. The incident occurred at Osmosis block height 30968345. While the probability of occurrence was extremely low (approximately 1 in 1 billion per signed vote), the severity was high due to the significant financial penalties associated with double-signing violations (GitHub Advisory).

A fix was released in version v3.3.2, implementing a single mutex lock that covers both reading and writing of the signature state. Users running affected versions (v3.1.0 through v3.3.1) are advised to update immediately. The update process involves downloading the v3.3.2 release binary or container image, applying it to the deployment, and restarting cosigner processes one at a time to ensure continuous validator operation. The fix is backward compatible and requires no configuration changes (GitHub Advisory).

Strangelove, the maintainer of Horcrux, acknowledged the incident and committed to working with 01node to reimburse those impacted by the tombstone event slash. They also announced implementing preventive measures including additional tests for concurrent signature requests, comprehensive review of mutex usage, enhanced logging and monitoring, and improved code review processes for security-critical components (GitHub Advisory).