Prop 24: Software upgrade to v1.0.2(Security Update)

Proposal for the Mainnet Upgrade: Security Update

Simple Summary

This proposal submits the v1.0.2 upgrade for the Hippo Protocol mainnet. This is a mandatory, state-breaking security release. It addresses critical vulnerabilities in both the consensus engine (CometBFT) and the application state machine (Cosmos SDK), specifically targeting potential chain-halt vectors.

• CometBFT: v0.38.17 → v0.38.19
• Cosmos SDK: v0.50.13 → v0.50.14
• Action Required: Coordinated Upgrade. All validators must stop and upgrade to the v1.0.2 binary at the designated block height. Rolling upgrades are NOT possible due to state-breaking changes in the SDK.

Abstract

The v1.0.2 upgrade strengthens the network against Denial-of-Service (DoS) attacks and state-machine failures. The primary fixes included are:

1. Cosmos SDK (GHSA-p22h-3m2v-cmgh): Fixes a critical issue in the x/distribution module where an overflow in the historical rewards pool can cause the chain to halt.
2. CometBFT (GHSA-hrhf-2vcr-ghch): Fixes a vulnerability where malicious peers could trigger a panic via invalid BitArray messages.
3. Dependabot Alerts: Resolves security warnings related to other dependencies found in the repository.

Motivation

The motivation for this upgrade is strictly security and stability. Leaving the network on the current version exposes it to known vectors that can result in a total network stoppage.

1. Prevent Chain Halt (x/distribution):

The update to Cosmos SDK v0.50.14 is required to fix GHSA-p22h-3m2v-cmgh. Without this patch, the chain risks halting if the historical rewards pool overflows—a known issue affecting chains using the standard distribution module.

2. Prevent Consensus Panic (CometBFT):

The update to CometBFT v0.38.19 resolves GHSA-hrhf-2vcr-ghch. This mitigates a high-severity DoS vector where malformed consensus messages could crash validator nodes.

3. Supply Chain Security:

Updates mitigate severe vulnerabilities identified in Dependabot Alert.

Documentation

• Hippo Protocol v1.0.2 PR #183
• Cosmos SDK Security Advisory: GHSA-p22h-3m2v-cmgh
• CometBFT Security Advisory: GHSA-hrhf-2vcr-ghch

Specification

• Binary: Upgrade network binary to reference Cosmos SDK v0.50.14 and CometBFT v0.38.19.
• State Migration: The upgrade handler will perform the necessary state migrations required by the Cosmos SDK patch.
• Dependency cleanup: Apply fixes for identified insecure dependencies in go.mod.

Rationale

The nature of the x/distribution fix in Cosmos SDK v0.50.14 is state-breaking. It alters how historical rewards are calculated/stored to prevent overflows. Therefore, a coordinated network upgrade is the only safe way to apply this patch. Delaying this upgrade increases the probability of an accidental or malicious chain halt as the network grows.

Drawbacks

• Network Halt: The chain must halt(possibly for seconds) at the upgrade height.
• Coordination Overhead: Validators must be available to switch binaries simultaneously; a rolling restart strategy cannot be used.

Unresolved Questions

• None.

Security Considerations

• Critical Severity: Both main components of the stack (Consensus & Application) are being patched for halt-inducing bugs.
• Urgency: As recommended by the Cosmos SDK team, this upgrade should be applied as soon as possible to eliminate the overflow risk.

Prior Art

• This upgrade aligns with the remediation steps taken by other Cosmos SDK v0.50.x chains currently patching against GHSA-p22h-3m2v-cmgh.

Backwards Compatibility

• NOT Backwards Compatible: This is a state-breaking upgrade.
• No Rolling Upgrades: Validators utilizing Cosmovisor should ensure the new binary is ready for the automated switch. Manual operators must stop the node at the upgrade height and replace the binary before restarting.

Test Cases

• Overflow Simulation: Verify that historical rewards calculation no longer panics under overflow conditions (via SDK unit tests).
• Consensus Safety: Validate block production continues with CometBFT v0.38.19.
• Upgrade Replay: Successfully simulate the upgrade from v1.0.1 to v1.0.2 in a testnet environment without app hash mismatches.