Cosmos SDK v0.50.13 Security Upgrade

Scheduled Maintenance Report for ZetaChain

Completed

The scheduled maintenance has been completed.

Posted Mar 25, 2025 - 15:23 UTC

In progress

Scheduled maintenance is currently in progress. We will provide updates as necessary.

Posted Mar 12, 2025 - 23:00 UTC

Scheduled

To protect against a high criticality security update, ZetaChain has released v28.1.4 (https://github.com/zeta-chain/node/releases/tag/v28.1.4) for Mainnet and v29.0.3 (https://github.com/zeta-chain/node/releases/tag/v29.0.3) for Testnet to upgrade the networks to Cosmos SDK 0.50.13. We request that all node operators upgrade as soon as they can safely do so.

For Mainnet's v28 update, the only change being made is an update from Cosmos SDK v0.50.12 -> v0.50.13. A small TON related change is also included in the v29 update for our Testnet. For more information on the Cosmos SDK vulnerability, please see their security advisory here: [ISA-2025-002: x/group can halt when erroring in EndBlocker](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-47ww-ff84-4jrg)

Additional Critical Information:
- Due to the low difficulty required to exploit this vulnerability, please apply the updates as soon as you can safely do so.
- Validator operators, if the chain does halt before we reach 2/3 voting power, please install the updated binary swiftly to restore the network.
- Guidance from the cosmos/cosmos-sdk release page states:
- This patch is not state-breaking, so chains can upgrade in a rolling manner. This does not have to be a coordinated upgrade.
- However, validators should upgrade as soon as possible when the release is made available.
- If the vulnerability is exploited before 2/3 is patched, the chain will halt.

Posted Mar 12, 2025 - 22:55 UTC

This scheduled maintenance affected: Testnet (ZetaChain Testnet) and Mainnet (ZetaChain Mainnet).