GHSA-86h5-xcpx-cfqc: 
vulnerability analysis and mitigation

A low severity vulnerability (GHSA-86h5-xcpx-cfqc) was identified in the Cosmos SDK affecting versions <= 0.50.4 and <= 0.47.9. The issue was discovered on December 6, 2023, by cat shark (Khanh) through the Cosmos Bug Bounty Program on HackerOne. The vulnerability affects chain developers, validator, and node operators using the affected versions of the Cosmos SDK (Cosmos Advisory).

The vulnerability exists in the slashing mechanism of the Cosmos SDK, specifically related to the re-delegation process. The issue allows for potential evasion of slashing penalties during a slashing event through manipulation of re-delegation behavior. The vulnerability is classified with CWE-372 and has been assigned a low severity rating (Cosmos Advisory).

If exploited, the vulnerability allows delegations that contributed to byzantine behavior of a validator to potentially evade pending slashing penalties. This evasion is possible when the validator has not yet been slashed, and the delegation uses specific re-delegation patterns to avoid the penalty (Cosmos Advisory).

The issue has been patched in Cosmos SDK versions 0.50.5 and 0.47.10. Chain developers using affected versions are advised to update to the latest available version of the Cosmos SDK. Network operators are recommended to upgrade once a patched version is available. Additional validation logic has been implemented to restrict the problematic re-delegation behavior (Cosmos Advisory).