From 6854ec67f0f0687157321a0bfdf0f997a3bf681a Mon Sep 17 00:00:00 2001 From: Alex | Interchain Labs Date: Mon, 10 Mar 2025 11:04:49 -0400 Subject: [PATCH] fix(x/distribution): vulnerable incrementReferenceCount in distribution (#19301) (#23934) Co-authored-by: Naveen <70747893+knkcse@users.noreply.github.com> Co-authored-by: Aleksandr Bezobchuk Co-authored-by: Likhita Polavarapu <78951027+likhita-809@users.noreply.github.com> --- CHANGELOG.md | 1 + x/distribution/keeper/validator.go | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 20c6ad406d..67fae8794a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -51,6 +51,7 @@ Ref: https://keepachangelog.com/en/1.0.0/ ### Bug Fixes +* (x/distribution) [#23934](https://github.com/cosmos/cosmos-sdk/pull/23934) Fix vulnerability in `incrementReferenceCount` in distribution. * (baseapp) [#23879](https://github.com/cosmos/cosmos-sdk/pull/23879) Ensure finalize block response is not empty in the defer check of FinalizeBlock to avoid panic by nil pointer. * (query) [#23883](https://github.com/cosmos/cosmos-sdk/pull/23883) Fix NPE in query pagination. * (client) [#23860](https://github.com/cosmos/cosmos-sdk/pull/23860) Add missing `unordered` field for legacy amino signing of tx body. diff --git a/x/distribution/keeper/validator.go b/x/distribution/keeper/validator.go index 9b830e5778..5ef0395a2e 100644 --- a/x/distribution/keeper/validator.go +++ b/x/distribution/keeper/validator.go @@ -122,10 +122,12 @@ func (k Keeper) incrementReferenceCount(ctx context.Context, valAddr sdk.ValAddr if err != nil { return err } + + historical.ReferenceCount++ if historical.ReferenceCount > 2 { panic("reference count should never exceed 2") } - historical.ReferenceCount++ + return k.SetValidatorHistoricalRewards(ctx, valAddr, period, historical) }