Summary

An integer overflow in Cosmos RPC pagination logic allows empty results when the limit of results is set too high.

When the sum of offset and limit parameters exceeds the maximum of an uint64, the query returns 0 results instead of the expected data. This impacts applications that rely on Cosmos RPC pagination for data retrieval, particularly those allowing pagination. Only the endpoints that use query.Paginate for filtering are vulnerable.

Steps to Reproduce

How can the vulnerability be exploited?

1. Query any Cosmos RPC endpoint that supports pagination (e.g., /cosmos/slashing/v1beta1/signing_infos or /cosmos/bank/v1beta1/denoms_metadata...)
2. Set a valid offset parameter (e.g., offset=12)
3. Set limit to a value that causes overflow when added to offset (e.g., limit=0xFFFFFFFFFFFFFFFF)
4. The response contains 0 results instead of the expected data starting from the offset position

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Nodes can implement input validation to ensure that offset + limit does not exceed the maximum uint64 value before sending requests to the RPC endpoint, by saturating to the maximum, instead of overflowing.

Supporting Material/References

Are there any links, screenshots, logs, etc that the team can use to find out more?

• Production example returning 0 results (buggy behavior): https://cosmos-rest.publicnode.com/cosmos/slashing/v1beta1/signing_infos?pagination.offset=12&pagination.limit=0xFFFFFFFFFFFFFFFF

• Same query with normal limit returning expected results (correct behavior): https://cosmos-rest.publicnode.com/cosmos/slashing/v1beta1/signing_infos?pagination.offset=12&pagination.limit=0x12

Impact

Below is an attack scenario that I found to exploit that bug.

Alice runs a validator analytics service that skips the top 100 validators, since they are monitored by other services. Her service always uses offset=100 into Cosmos RPC queries and allows users to choose how many results they want.

1. Alice’s service is configured that way:

   • Hardcoded offset=100 to skip top validators
   • Use user input field for limit parameter
   • API passes the user’s limit directly to the Cosmos RPC

2. Attack Execution

   • Bob wants to see all validators, so he enters 0xFFFFFFFFFFFFFFFF (a large number like 18446744073709551615) as the limit.
   • The final endpoint will contains pagination.offset=100&pagination.limit=0xFFFFFFFFFFFFFFFF, which will return none of the validators.

Outcome: Bob expects to see all validators from position 101 onward, but the returned result contains 0 validators returned due to integer overflow. This attempts to the data availability and its integrity as well

(Author note: it's not a random spammy AI-submitted bug)