A critical vulnerability was discovered in the ismp-grandpa crate, that allowed a malicious prover easily convince the verifier of the finality of arbitrary headers.

Description

The vulnerability manifests as a verifer that only accepts incorrect signatures of Grandpa precommits and was introduced in this specific commit. Perhaps due to unfamiliarity with core substrate APIs. The if statement should have included a negation check, similar to the previous code, but this was omitted. Causing the verifier to only accept invalid signatures.

This vulnerability remained undetected even with integration tests, as the prover was also misconfigured to initialize the Grandpa verifier with the incorrect authority set_id. This causes verification of honest precommit signatures to fail as the message is now malformed, but the verifier indeed only accepts signatures or messages that fail the verification check.

But even more devastatingly, the verifier will also accept malicious GRANDPA signatures for any precommit message.

This vulnerability has been fixed in this commit and a patch release has been published.

Impact

This could be used to steal funds or compromise other kinds of cross-chain applications.

Patches

This vulnerability has been fixed in the latest version of ismp-granpda v15.0.1

Recommendations

Users who rely on the compromised versions must upgrade immediately, as all vulnerable versions of the crate has been yanked.