Summary
github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee
x/crisis does not charge ConstantFee
Details
The x/crisis module is supposed to allow anyone to halt a chain in the event of a violated invariant by sending a MsgVerifyInvariant with the name of the invariant. Processing this message takes extra processing power hence a ConstantFee was introduced on the chain that is charged as extra from the reporter for the extra computational work. This is supposed to avert spammers on the chain making nodes do extra computations using this transaction. By not charging the ConstantFee, the transactions related to invariant checking are relatively cheaper compared to the computational need and other transactions.
That said, the submitter still has to pay the transaction fee to put the transaction on the network, hence using this weakness for spamming is limited by the usual mechanisms.
Synthetic testing showed up to a 20% increase in CPU usage on a validator node that is spammed by hundreds of MsgVerifyInvariant messages which still makes this an expensive operation to carry out on a live blockchain network.
Workarounds
There is no workaround posted. Validators are advised to leave some extra computing room on their servers for possible spamming scenarios. (This is a good measure in any case.)
References
SDK developer epic about invariant checking: https://github.com/cosmos/cosmos-sdk/issues/15706
Impact
If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The ConstantFee charge of the x/crisis module will either be fixed or disabled in an upcoming regular release of the Cosmos SDK.
The x/crisis module was originally intended to allow chains to halt rather than continue with some unknown behavior in the case of an invariant violation (safety over liveness). However, as chains mature, and especially as the potential cost of halting increases, chains should consider carefully what invariants they really want to halt for, and what invariants are just sort of helpful sanity checks.
The SDK team is working on new modules that allow chain developers to fine-tune the chain invariants and the necessary actions.
Hence, the decision was made that the x/crisis module will be deprecated when new modules take over its responsibilities.
Frequently Asked Questions
- What is GHSA-W5W5-2882-47PC? GHSA-W5W5-2882-47PC is a low-severity security vulnerability in github.com/cosmos/cosmos-sdk (go), affecting versions <= 0.50.0-alpha.1. No fixed version is listed yet.
- Which versions of github.com/cosmos/cosmos-sdk are affected by GHSA-W5W5-2882-47PC? github.com/cosmos/cosmos-sdk (go) versions <= 0.50.0-alpha.1 is affected.
- Is there a fix for GHSA-W5W5-2882-47PC? No fixed version is listed for GHSA-W5W5-2882-47PC yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is GHSA-W5W5-2882-47PC exploitable, and should I be worried? Whether GHSA-W5W5-2882-47PC is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-W5W5-2882-47PC is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.