GHSA-j2cr-jc39-wpx5: 
vulnerability analysis and mitigation

The Barberry security vulnerability (GHSA-j2cr-jc39-wpx5) is a high-severity issue affecting the Cosmos SDK versions v0.46.0 through v0.46.12 and v0.47.0 through v0.47.2. The vulnerability was disclosed on June 7, 2023, and patches were released on June 8, 2023. The issue specifically impacts the PeriodicVestingAccount functionality in the x/auth module (Cosmos Forum, GitHub Advisory).

The vulnerability exists in the PeriodicVestingAccount implementation within the x/auth module. The flaw allows an attacker to initialize a victim's account as a malicious vesting account that permits deposits but prevents withdrawals. The vulnerability has been assigned a moderate severity rating (GitHub Advisory).

When exploited, the vulnerability allows attackers to permanently lock users' funds in their accounts. Once funds are deposited into a compromised account, the legitimate owner cannot withdraw them, effectively resulting in a permanent loss of access to their assets (GitHub Advisory).

No workarounds are available for this vulnerability. The only mitigation is to upgrade immediately to patched versions: v0.46.13 for Cosmos SDK v0.46.x and v0.47.3 for Cosmos SDK v0.47.x. Networks can choose between a rolling upgrade or a coordinated upgrade, with the recommendation to select the approach that achieves 66%+1 voting power upgrade most quickly (Cosmos Forum, GitHub Advisory).

The vulnerability disclosure prompted immediate response from the Cosmos ecosystem, with various teams offering support. Notional announced they would support affected teams free of charge, and the Informal Systems and Amulet teams were designated to assist with identifying vulnerable chains and patching (Cosmos Forum).