From building-secure-contracts
Scans Cosmos SDK blockchains and CosmWasm contracts for 9 consensus-critical vulnerabilities like non-determinism, incorrect signers, ABCI panics, and rounding errors. Use for auditing Cosmos chains.
How this skill is triggered — by the user, by Claude, or both
Slash command
/building-secure-contracts:cosmos-vulnerability-scannerThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Systematically scan Cosmos SDK blockchain modules and CosmWasm smart contracts for platform-specific security vulnerabilities that can cause chain halts, consensus failures, or fund loss. This skill encodes 9 critical vulnerability patterns unique to Cosmos-based chains.
Systematically scan Cosmos SDK blockchain modules and CosmWasm smart contracts for platform-specific security vulnerabilities that can cause chain halts, consensus failures, or fund loss. This skill encodes 9 critical vulnerability patterns unique to Cosmos-based chains.
.go, .proto.rs (Rust with cosmwasm imports)// Cosmos SDK indicators
import (
"github.com/cosmos/cosmos-sdk/types"
sdk "github.com/cosmos/cosmos-sdk/types"
"github.com/cosmos/cosmos-sdk/x/..."
)
// Common patterns
keeper.Keeper
sdk.Msg, GetSigners()
BeginBlocker, EndBlocker
CheckTx, DeliverTx
protobuf service definitions
// CosmWasm indicators
use cosmwasm_std::*;
#[entry_point]
pub fn execute(deps: DepsMut, env: Env, info: MessageInfo, msg: ExecuteMsg)
x/modulename/ - Custom moduleskeeper/keeper.go - State managementtypes/msgs.go - Message definitionsabci.go - BeginBlocker/EndBlockerhandler.go - Message handlers (legacy)When invoked, I will:
When vulnerabilities are found, you'll get a report like this:
=== COSMOS SDK VULNERABILITY SCAN RESULTS ===
Project: my-cosmos-chain
Files Scanned: 6 (.go)
Vulnerabilities Found: 2
---
[CRITICAL] Incorrect GetSigners()
---
## 5. Vulnerability Patterns (9 Patterns)
I check for 9 critical vulnerability patterns unique to CosmWasm. For detailed detection patterns, code examples, mitigations, and testing strategies, see [VULNERABILITY_PATTERNS.md](resources/VULNERABILITY_PATTERNS.md).
### Pattern Summary:
1. **Missing Denom Validation** ⚠️ CRITICAL - Accepting arbitrary token denoms
2. **Insufficient Authorization** ⚠️ CRITICAL - Missing sender/admin validation
3. **Missing Balance Check** ⚠️ HIGH - Not verifying sufficient balances
4. **Improper Reply Handling** ⚠️ HIGH - Unsafe submessage reply processing
5. **Missing Reply ID Check** ⚠️ MEDIUM - Not validating reply IDs
6. **Improper IBC Packet Validation** ⚠️ CRITICAL - Unvalidated IBC packets
7. **Unvalidated Execute Message** ⚠️ HIGH - Missing message validation
8. **Integer Overflow** ⚠️ HIGH - Unchecked arithmetic operations
9. **Reentrancy via Submessages** ⚠️ MEDIUM - State changes before submessages
For complete vulnerability patterns with code examples, see [VULNERABILITY_PATTERNS.md](resources/VULNERABILITY_PATTERNS.md).
## 5. Scanning Workflow
### Step 1: Platform Identification
1. Identify Cosmos SDK version (`go.mod`)
2. Locate custom modules (`x/*/`)
3. Find ABCI methods (`abci.go`, BeginBlocker, EndBlocker)
4. Identify message types (`types/msgs.go`, `.proto`)
### Step 2: Critical Path Analysis
Focus on consensus-critical code:
- BeginBlocker / EndBlocker implementations
- Message handlers (execute, DeliverTx)
- Keeper methods that modify state
- CheckTx priority logic
### Step 3: Non-Determinism Sweep
**This is the highest priority check for Cosmos chains.**
```bash
# Search for non-deterministic patterns
grep -r "range.*map\[" x/
grep -r "\bint\b\|\buint\b" x/ | grep -v "int32\|int64\|uint32\|uint64"
grep -r "float32\|float64" x/
grep -r "go func\|go routine" x/
grep -r "select {" x/
grep -r "time.Now()" x/
grep -r "rand\." x/
For each finding:
Review BeginBlocker and EndBlocker:
For each message type:
## [CRITICAL] Non-Deterministic Map Iteration in EndBlocker
**Location**: `x/dex/abci.go:45-52`
**Description**:
The EndBlocker iterates over an unordered map to distribute rewards, causing different validators to process users in different orders and produce different state roots. This will halt the chain when validators fail to reach consensus.
**Vulnerable Code**:
```go
// abci.go, line 45
func EndBlocker(ctx sdk.Context, k keeper.Keeper) {
rewards := k.GetPendingRewards(ctx) // Returns map[string]sdk.Coins
for user, amount := range rewards { // NON-DETERMINISTIC ORDER
k.bankKeeper.SendCoins(ctx, moduleAcc, user, amount)
}
}
Attack Scenario:
Recommendation: Sort map keys before iteration:
func EndBlocker(ctx sdk.Context, k keeper.Keeper) {
rewards := k.GetPendingRewards(ctx)
// Collect and sort keys for deterministic iteration
users := make([]string, 0, len(rewards))
for user := range rewards {
users = append(users, user)
}
sort.Strings(users) // Deterministic order
// Process in sorted order
for _, user := range users {
k.bankKeeper.SendCoins(ctx, moduleAcc, user, rewards[user])
}
}
References:
---
## 7. Priority Guidelines
### Critical - CHAIN HALT Risk
- Non-determinism (any form)
- ABCI method panics
- Slow ABCI methods
- Incorrect GetSigners (allows unauthorized actions)
### High - Fund Loss Risk
- Missing error handling (bankKeeper.SendCoins)
- Broken bookkeeping (accounting mismatch)
- Missing message priority (oracle/emergency messages)
### Medium - Logic/DoS Risk
- Rounding errors (protocol value leakage)
- Unregistered message handlers (functionality broken)
---
## 8. Testing Recommendations
### Non-Determinism Testing
```bash
# Build for different architectures
GOARCH=amd64 go build
GOARCH=arm64 go build
# Run same operations, compare state roots
# Must be identical across architectures
# Fuzz test with concurrent operations
go test -fuzz=FuzzEndBlocker -parallel=10
func BenchmarkBeginBlocker(b *testing.B) {
ctx := setupMaximalState() // Worst-case state
b.ResetTimer()
for i := 0; i < b.N; i++ {
BeginBlocker(ctx, keeper)
}
// Must complete in < 1 second
require.Less(b, b.Elapsed()/time.Duration(b.N), time.Second)
}
// Run invariants in integration tests
func TestInvariants(t *testing.T) {
app := setupApp()
// Execute operations
app.DeliverTx(...)
// Check invariants
_, broken := keeper.AllInvariants()(app.Ctx)
require.False(t, broken, "invariant violation detected")
}
building-secure-contracts/not-so-smart-contracts/cosmos/Before completing Cosmos chain audit:
Non-Determinism (CRITICAL):
ABCI Methods (CRITICAL):
Message Handling (HIGH):
Arithmetic & Accounting (MEDIUM):
Testing:
npx claudepluginhub michelabboud/trailofbits-skills --plugin building-secure-contracts3plugins reuse this skill
First indexed Jul 11, 2026
Scans Cosmos SDK modules and CosmWasm contracts for consensus-critical vulnerabilities causing chain halts, fund loss, or state divergence. Use for auditing custom x/ modules, IBC integrations, or pre-launch chain security.
Scans Cosmos SDK blockchains for 9 consensus-critical vulnerabilities including non-determinism, incorrect signers, ABCI panics, and rounding errors. Use when auditing Cosmos chains or CosmWasm contracts.
Audits smart contracts for vulnerabilities including reentrancy, access control, oracle manipulation, and economic exploits across EVM and Solana.