GHSA-6wxf-7784-62fp: Horcrux Double Sign Possibility
On March 6, 2025, a Horcrux user (01node) experienced a double-signing incident on the Osmosis network, resulting in a 5% slash penalty (approximately 75,000 OSMO or $20,000 USD). After thorough investigation, we have identified a race condition in Horcrux’s signature state handling as the root cause. This vulnerability was introduced in July 2023 as part of PR #169 and affects all Horcrux versions from v3.1.0 through v3.3.1. A fix has been developed and is being deployed immediately.
References
- github.com/advisories/GHSA-6wxf-7784-62fp
- github.com/strangelove-ventures/horcrux
- github.com/strangelove-ventures/horcrux/commit/fb49be9baed30942b81b42da2b4f7040a2a83c02
- github.com/strangelove-ventures/horcrux/pull/169
- github.com/strangelove-ventures/horcrux/releases/tag/v3.3.2
- github.com/strangelove-ventures/horcrux/security/advisories/GHSA-6wxf-7784-62fp
Code Behaviors & Features
Detect and mitigate GHSA-6wxf-7784-62fp with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →