x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: GHSA-w5w5-2882-47pc

[GoVulnBot]

In GitHub Security Advisory GHSA-w5w5-2882-47pc, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/cosmos/cosmos-sdk		<= 0.50.0-alpha.1

Cross references:

• Module github.com/cosmos/cosmos-sdk appears in issue x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk: CVE-2021-41135 #255 NOT_IMPORTABLE
• Module github.com/cosmos/cosmos-sdk appears in issue x/vulndb: potential Go vuln in github.com/cosmos/cosmos-sdk #1861

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/cosmos/cosmos-sdk
      versions:
        - {}
      vulnerable_at: 0.47.3
      packages:
        - package: github.com/cosmos/cosmos-sdk
summary: github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee
description: |-
    # x/crisis does not charge ConstantFee ### Impact If a transaction is sent to
    the `x/crisis` module to check an invariant, the ConstantFee parameter of the
    chain is NOT charged. All versions of the `x/crisis` module are affected on all
    versions of the Cosmos SDK.

    ### Details The `x/crisis` module is supposed to allow anyone to halt a chain in
    the event of a violated invariant by sending a `MsgVerifyInvariant` with the
    name of the invariant. Processing this message takes extra processing power
    hence a `ConstantFee` was introduced on the chain that is charged as extra from
    the reporter for the extra computational work. This is supposed to avert
    spammers on the chain making nodes do extra computations using this transaction.
    By not charging the `ConstantFee`, the transactions related to invariant
    checking are relatively cheaper compared to the computational need and other
    transactions.

    That said, the submitter still has to pay the transaction fee to put the
    transaction on the network, hence using this weakness for spamming is limited by
    the usual mechanisms.

    Synthetic testing showed up to a 20% increase in CPU usage on a validator node
    that is spammed by hundreds of `MsgVerifyInvariant` messages which still makes
    this an expensive operation to carry out on a live blockchain network.

    ### Patches The `ConstantFee` charge of the `x/crisis` module will either be
    fixed or disabled in an upcoming regular release of the Cosmos SDK.

    The `x/crisis` module was originally intended to allow chains to halt rather
    than continue with some unknown behavior in the case of an invariant violation
    (safety over liveness). However, as chains mature, and especially as the
    potential [cost of halting
    increases](https://github.com/osmosis-labs/osmosis/issues/570), chains should
    consider carefully what invariants they really want to halt for, and what
    invariants are just sort of helpful sanity checks.

    The SDK team is working on new modules that allow chain developers to fine-tune
    the chain invariants and the necessary actions.

    Hence, the decision was made that the `x/crisis` module will be deprecated when
    new modules take over its responsibilities.

    ### Workarounds There is no workaround posted. Validators are advised to leave
    some extra computing room on their servers for possible spamming scenarios.
    (This is a good measure in any case.)

    ### References SDK developer epic about invariant checking:
    https://github.com/cosmos/cosmos-sdk/issues/15706
ghsas:
    - GHSA-w5w5-2882-47pc
references:
    - advisory: https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-w5w5-2882-47pc
    - report: https://github.com/cosmos/cosmos-sdk/issues/15706
    - advisory: https://github.com/advisories/GHSA-w5w5-2882-47pc

[gopherbot]

Change https://go.dev/cl/507902 mentions this issue: data/reports: add GO-2023-1881.yaml