As described by user @Jessysaurusrex on Cosmos Forum in forum.cosmos.network
, All in Bits has learned of a critical security vulnerability in the codebase for the Cosmos Hub. We deem the issue to be of high severity, as if exploited it can potentially degrade the security model of the chain's Proof of Stake system. This vulnerability CANNOT lead to the theft of Atoms or creation of Atoms out of thin air.
All in Bits has released a source code patch, Gaia v0.34.6, that closes the exploitable code path starting at block 482100.
The proposed upgrade code Git hash is: 80234baf91a15dd9a7df8dca38677b66b8d148c1
As a proof of stake, we are putting some collateral behind this legitimacy of this bug and patch and encourage others familiar with the report to do so as well. If the disclosed bug turns out to be fabricated or malicious in some way, we urge the Cosmos Hub governance to slash these Atoms by voting NoWithVeto on this proposal.
We encourage validators and all users to upgrade their nodes to Gaia v0.34.6 before block 482100. In the absence of another public bulletin board, we request validators to please vote Yes on this proposal AFTER they have upgraded their nodes to v0.34.6, as a method of signalling the readiness of the network for the upgrade.