Name of the Vulnerable Software and Affected Versions Horcrux versions 3.1.0 through 3.3.1

Description A race condition in Horcrux's signature state handling code allowed for a double-signing incident, resulting in a 5% slash penalty. The issue was introduced in July 2023 and affects all Horcrux versions from v3.1.0 through v3.3.1. The bug has an extremely low probability of occurrence but is of high severity. One known validator was affected, resulting in a loss of approximately 75,000 OSMO or $20,000 USD. The incident occurred at Osmosis block height 30968345. Technical details reveal that the issue was caused by a split read-write lock pattern that allowed two sign requests to proceed when they should have been serialized. The fix implements a single mutex lock that covers both the reading of the current signature state and the subsequent writing of any updates.

Recommendations All Horcrux users running versions v3.1.0 through v3.3.1 should update to the patched version v3.3.2 immediately. The fix is backward compatible and does not require any configuration changes. Update instructions include downloading the v3.3.2 release binary or container image, applying the release binary or image to the deployment, and restarting cosigner processes one at a time to ensure continuous validator operation.