GHSA-p22h-3m2v-cmgh: 
vulnerability analysis and mitigation

An integer overflow vulnerability was discovered in the Cosmos SDK's distribution module (GHSA-p22h-3m2v-cmgh) that could cause a chain halt. The vulnerability affects Cosmos SDK versions <= v0.50.13 and <= 0.53.2, impacting validators, full nodes, and users on chains that utilize the distribution module. The issue was reported through the Cosmos Bug Bounty Program by myte1111111 on HackerOne on April 15, 2025, and was patched in versions 0.50.14 and 0.53.3 released on July 8, 2025 (GitHub Advisory).

The vulnerability exists in the distribution module where a malicious deposit into the Validator Rewards pool could result in an integer overflow, subsequently causing a chain halt. The issue occurs when processing validator rewards, specifically when handling large deposits that could cause an overflow in the historical rewards calculations. The vulnerability has been assigned a CVSS v4.0 score of 7.7 (High severity), with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, and High impact on Availability (GitHub Advisory).

The vulnerability can lead to a complete chain halt when exploited, affecting the availability of the entire blockchain network. This impacts all chains using the distribution module in the affected Cosmos SDK versions. The severity is particularly high as it affects core blockchain functionality and requires a coordinated chain upgrade to apply the fix (GitHub Advisory).

The vulnerability has been patched in Cosmos SDK versions 0.50.14 and 0.53.3. There are no known workarounds for this issue, and affected chains must perform a coordinated upgrade to the patched versions. The fix cannot be applied in a rolling upgrade due to its state-breaking nature (GitHub Advisory).