@elizaos/skills 2.0.0-alpha.3

package/skills/security-building-secure-contracts/skills/cosmos-vulnerability-scanner/resources/VULNERABILITY_PATTERNS.md

@@ -0,0 +1,740 @@
+## 6. Vulnerability Checklist (9 Patterns)
+
+### 6.1 INCORRECT GetSigners() ⚠️ CRITICAL
+
+**Description**: Mismatch between address returned by `GetSigners()` and address actually used in handler allows unauthorized actions via signer impersonation.
+
+**Detection Patterns**:
+```go
+// VULNERABLE: GetSigners returns one address, handler uses different field
+type MsgExample struct {
+    Signer  string  // Returned by GetSigners()
+    Author  string  // Actually used in handler
+}
+
+func (msg MsgExample) GetSigners() []sdk.AccAddress {
+    return []sdk.AccAddress{sdk.AccAddress(msg.Signer)}
+}
+
+// Handler uses Author instead!
+func handleMsgExample(ctx sdk.Context, msg MsgExample) error {
+    // WRONG: Using msg.Author instead of verified signer
+    return keeper.DoAction(ctx, msg.Author, msg.Data)
+}
+```
+
+**What to Check**:
+- [ ] `GetSigners()` returns address that is actually used in handler
+- [ ] No multiple address fields in message (signer, author, owner, from, etc.)
+- [ ] Handler only uses addresses from `GetSigners()`
+- [ ] User-provided addresses not stored without validation
+
+**Mitigation**:
+```go
+// SECURE: Single address field, used consistently
+type MsgExample struct {
+    Signer string  // Only address field
+}
+
+func (msg MsgExample) GetSigners() []sdk.AccAddress {
+    return []sdk.AccAddress{sdk.AccAddress(msg.Signer)}
+}
+
+func handleMsgExample(ctx sdk.Context, msg MsgExample) error {
+    // Use the verified signer address
+    signers := msg.GetSigners()
+    return keeper.DoAction(ctx, signers[0], msg.Data)
+}
+```
+
+**Testing**:
+- Unit test with different signer/author values
+- Verify only GetSigners() address has authorization
+- Sanity tests for all message types
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/incorrect_signer
+
+---
+
+### 4.2 NON-DETERMINISM ⚠️ CRITICAL - CHAIN HALT
+
+**Description**: Non-deterministic code in consensus causes different validators to produce different state roots, halting the chain. This is the most severe Cosmos vulnerability.
+
+**Detection Patterns**:
+
+#### Pattern 1: Map Iteration
+```go
+// VULNERABLE: Iterating over Go map (random order)
+assets := make(map[string]sdk.Coin)
+for assetID, coin := range assets {  // NON-DETERMINISTIC!
+    keeper.ProcessAsset(ctx, assetID, coin)
+}
+```
+
+#### Pattern 2: Platform-Dependent Types
+```go
+// VULNERABLE: Platform-dependent integer types
+var amount int   // Size differs: 32-bit vs 64-bit systems
+var price float64  // Float arithmetic is non-deterministic
+
+// Serialization produces different bytes on different architectures
+bz := someSerializer(amount)  // Different on 32-bit vs 64-bit!
+```
+
+#### Pattern 3: Goroutines and Concurrency
+```go
+// VULNERABLE: Goroutines have non-deterministic execution order
+go processTransaction(tx1)
+go processTransaction(tx2)
+// Order of state updates is non-deterministic!
+```
+
+#### Pattern 4: Select Statements
+```go
+// VULNERABLE: Select with multiple ready channels
+select {
+case msg := <-ch1:  // Non-deterministic choice
+    process(msg)
+case msg := <-ch2:
+    process(msg)
+}
+```
+
+#### Pattern 5: Other Sources
+```go
+// VULNERABLE: Other non-determinism sources
+rand.Intn(100)              // Random numbers
+time.Now()                  // Local system time (use ctx.BlockTime())
+&obj                        // Memory addresses
+json.Marshal(map)           // Map serialization order
+filepath.Walk()             // Filesystem traversal order
+```
+
+**What to Check**:
+- [ ] NO `range` over maps in any consensus code
+- [ ] NO `int`, `uint`, `float32`, `float64` types (use `int32`, `int64`, `sdk.Int`, `sdk.Dec`)
+- [ ] NO goroutines in message handlers or ABCI methods
+- [ ] NO `select` statements with multiple channels
+- [ ] NO `rand` package usage (use deterministic PRF)
+- [ ] NO `time.Now()` (use `ctx.BlockTime()` or `ctx.BlockHeight()`)
+- [ ] NO memory address usage (`&obj`, pointer comparisons)
+- [ ] NO non-deterministic serialization
+
+**Mitigation**:
+```go
+// SECURE: Deterministic iteration
+// Option 1: Sort map keys
+keys := make([]string, 0, len(assets))
+for k := range assets {
+    keys = append(keys, k)
+}
+sort.Strings(keys)  // Deterministic order
+for _, k := range keys {
+    keeper.ProcessAsset(ctx, k, assets[k])
+}
+
+// Option 2: Use ordered data structure
+// Use sdk.KVStore with ordered iteration
+
+// SECURE: Platform-independent types
+var amount int64     // Explicit 64-bit
+var amount sdk.Int   // Arbitrary precision integer
+var price sdk.Dec    // Decimal type for consensus
+
+// SECURE: Use block time, not system time
+timestamp := ctx.BlockTime()  // Deterministic
+height := ctx.BlockHeight()   // Deterministic
+```
+
+**Tool Detection**:
+```bash
+# Use CodeQL custom rules
+codeql database create --language=go
+codeql query run cosmos-non-determinism.ql
+
+# Look for patterns
+grep -r "range.*map\[" x/
+grep -r "go func" x/
+grep -r "time.Now()" x/
+grep -r "float64\|float32" x/
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/non_determinism
+
+---
+
+### 4.3 MESSAGES PRIORITY ⚠️ HIGH
+
+**Description**: Missing prioritization of critical messages (oracle updates, emergency pause, governance) allows front-running and censorship during network congestion.
+
+**Detection Patterns**:
+```go
+// VULNERABLE: No priority for critical oracle update
+func (app *App) CheckTx(req abci.RequestCheckTx) abci.ResponseCheckTx {
+    // All messages treated equally, oracle updates can be delayed
+    return app.BaseApp.CheckTx(req)
+}
+
+// VULNERABLE: Emergency pause has same priority as normal txs
+// During congestion, pause message may not be included in time
+```
+
+**What to Check**:
+- [ ] Oracle/price feed updates have high priority
+- [ ] Emergency pause/circuit breaker messages prioritized
+- [ ] Critical governance proposals prioritized
+- [ ] CheckTx returns higher priority for critical message types
+- [ ] High fees required for priority transactions (prevent spam)
+
+**Mitigation**:
+```go
+// SECURE: Prioritize critical messages in CheckTx
+func (app *App) CheckTx(req abci.RequestCheckTx) abci.ResponseCheckTx {
+    tx, err := app.txDecoder(req.Tx)
+    if err != nil {
+        return sdkerrors.ResponseCheckTx(err, 0, 0, app.trace)
+    }
+
+    msgs := tx.GetMsgs()
+    priority := int64(0)
+
+    for _, msg := range msgs {
+        switch msg.(type) {
+        case *oracle.MsgUpdatePrice:
+            // Verify sender is authorized oracle
+            if isAuthorizedOracle(msg.GetSigners()[0]) {
+                priority = 1000000  // Highest priority
+            }
+        case *crisis.MsgPause:
+            // Verify sender is admin
+            if isAdmin(msg.GetSigners()[0]) {
+                priority = 1000000  // Highest priority
+            }
+        }
+    }
+
+    return abci.ResponseCheckTx{
+        Code:     0,
+        Priority: priority,
+        // High priority messages pay higher fees to prevent spam
+    }
+}
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/messages_priority
+
+---
+
+### 4.4 SLOW ABCI METHODS ⚠️ CRITICAL - CHAIN HALT
+
+**Description**: Computationally expensive `BeginBlocker` or `EndBlocker` with unbounded loops can exceed block time limits, halting the chain.
+
+**Detection Patterns**:
+```go
+// VULNERABLE: Unbounded loop in EndBlocker
+func EndBlocker(ctx sdk.Context, k keeper.Keeper) {
+    // Iterates over ALL users - could be millions!
+    k.IterateAllUsers(ctx, func(user User) bool {
+        reward := k.CalculateReward(ctx, user)  // Complex calculation
+        k.DistributeReward(ctx, user, reward)
+        return false
+    })
+}
+
+// VULNERABLE: Nested loops in BeginBlocker
+func BeginBlocker(ctx sdk.Context, k keeper.Keeper) {
+    pools := k.GetAllPools(ctx)        // 1000+ pools
+    for _, pool := range pools {
+        assets := k.GetPoolAssets(ctx, pool.ID)  // 100+ assets each
+        for _, asset := range assets {
+            k.UpdatePrice(ctx, pool, asset)  // Expensive calculation
+        }
+    }
+}
+
+// VULNERABLE: Unbounded state iteration
+func (k Keeper) ProcessExpiredOrders(ctx sdk.Context) {
+    // No limit on number of orders processed per block!
+    k.IterateExpiredOrders(ctx, func(order Order) bool {
+        k.CancelOrder(ctx, order)
+        return false  // Processes ALL expired orders
+    })
+}
+```
+
+**What to Check**:
+- [ ] BeginBlocker has bounded computational complexity
+- [ ] EndBlocker has bounded computational complexity
+- [ ] NO nested loops over unbounded collections
+- [ ] NO iterations over all users/pools/assets
+- [ ] Batch operations have size limits
+- [ ] Stress tests with maximum expected data
+
+**Mitigation**:
+```go
+// SECURE: Process limited batch per block
+func EndBlocker(ctx sdk.Context, k keeper.Keeper) {
+    maxProcessed := 100  // Process max 100 users per block
+
+    iterator := k.GetUnprocessedUsers(ctx)
+    defer iterator.Close()
+
+    count := 0
+    for ; iterator.Valid() && count < maxProcessed; iterator.Next() {
+        user := k.UnmarshalUser(iterator.Value())
+        reward := k.CalculateReward(ctx, user)
+        k.DistributeReward(ctx, user, reward)
+        k.MarkProcessed(ctx, user)
+        count++
+    }
+    // Remaining users processed in subsequent blocks
+}
+
+// SECURE: Limit nested iterations
+func BeginBlocker(ctx sdk.Context, k keeper.Keeper) {
+    // Process only active pools (limited set)
+    activePools := k.GetActivePools(ctx)  // Max 50 pools
+    for _, pool := range activePools {
+        // Process only top assets (limited set)
+        topAssets := k.GetTopPoolAssets(ctx, pool.ID, 10)
+        for _, asset := range topAssets {
+            k.UpdatePrice(ctx, pool, asset)
+        }
+    }
+}
+```
+
+**Testing**:
+```go
+// Benchmark ABCI methods
+func BenchmarkEndBlocker(b *testing.B) {
+    // Test with maximum expected state
+    ctx := setupMaximumState()  // 1M users, 10K pools, etc.
+
+    b.ResetTimer()
+    for i := 0; i < b.N; i++ {
+        EndBlocker(ctx, keeper)
+    }
+    // Must complete in < 1 second
+}
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/abci_method_slow
+
+---
+
+### 4.5 ABCI METHODS PANIC ⚠️ CRITICAL - CHAIN HALT
+
+**Description**: Unexpected panics in `BeginBlocker` or `EndBlocker` immediately stop the blockchain. Many Cosmos SDK types panic on invalid operations.
+
+**Detection Patterns**:
+
+#### Pattern 1: Panic-Prone Coin Operations
+```go
+// VULNERABLE: NewCoins panics on invalid coins
+func EndBlocker(ctx sdk.Context, k keeper.Keeper) {
+    // Panics if amount is negative or denom is invalid!
+    coins := sdk.NewCoins(sdk.NewCoin(userDenom, userAmount))
+    k.MintCoins(ctx, coins)
+}
+
+// VULNERABLE: Coin arithmetic panics
+reward := sdk.NewCoin("uatom", sdk.NewInt(-100))  // PANIC: negative amount
+```
+
+#### Pattern 2: Dec/Int Operations
+```go
+// VULNERABLE: NewDec panics on invalid string
+func BeginBlocker(ctx sdk.Context, k keeper.Keeper) {
+    price := sdk.NewDec(priceString)  // PANIC if priceString is invalid!
+}
+
+// VULNERABLE: Division by zero
+ratio := amount.Quo(sdk.ZeroInt())  // PANIC!
+```
+
+#### Pattern 3: SetParamSet
+```go
+// VULNERABLE: SetParamSet panics on validation failure
+func (k Keeper) UpdateParams(ctx sdk.Context, params Params) {
+    // PANIC if params are invalid!
+    k.paramSpace.SetParamSet(ctx, &params)
+}
+```
+
+#### Pattern 4: Array Out of Bounds
+```go
+// VULNERABLE: No bounds checking
+func processValidators(validators []Validator) {
+    top := validators[0]  // PANIC if empty slice!
+}
+```
+
+**What to Check**:
+- [ ] All `sdk.NewCoins()`, `sdk.NewCoin()` calls validated
+- [ ] All `sdk.NewDec()`, `sdk.NewInt()` calls validated
+- [ ] Division operations check for zero divisor
+- [ ] `SetParamSet` called only with validated params
+- [ ] Array/slice access has bounds checking
+- [ ] User input validated before use in panic-prone operations
+
+**Mitigation**:
+```go
+// SECURE: Validate before panic-prone operations
+func EndBlocker(ctx sdk.Context, k keeper.Keeper) {
+    // Validate denom and amount
+    if err := sdk.ValidateDenom(userDenom); err != nil {
+        ctx.Logger().Error("invalid denom", "error", err)
+        return
+    }
+    if userAmount.IsNegative() {
+        ctx.Logger().Error("negative amount")
+        return
+    }
+
+    coins := sdk.NewCoins(sdk.NewCoin(userDenom, userAmount))
+    k.MintCoins(ctx, coins)
+}
+
+// SECURE: Use safe constructors
+func (k Keeper) UpdatePrice(ctx sdk.Context, priceStr string) error {
+    // Safe: Returns error instead of panicking
+    price, err := sdk.NewDecFromStr(priceStr)
+    if err != nil {
+        return err
+    }
+
+    // Check for zero before division
+    if divisor.IsZero() {
+        return errors.New("division by zero")
+    }
+    ratio := amount.Quo(divisor)
+
+    return nil
+}
+
+// SECURE: Bounds checking
+func processValidators(validators []Validator) {
+    if len(validators) == 0 {
+        return
+    }
+    top := validators[0]  // Safe
+}
+```
+
+**Tool Detection**:
+```bash
+# Use CodeQL to find panic-prone operations
+codeql query run find-unvalidated-sdk-operations.ql
+
+# Manual review
+grep -r "sdk.NewDec\|sdk.NewInt\|sdk.NewCoins" x/
+grep -r "\.Quo\|\.Div" x/
+grep -r "SetParamSet" x/
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/abci_method_panics
+
+---
+
+### 4.6 BROKEN BOOKKEEPING ⚠️ HIGH
+
+**Description**: Custom internal accounting alongside `x/bank` module becomes inconsistent when direct token transfers bypass internal bookkeeping.
+
+**Detection Patterns**:
+```go
+// VULNERABLE: Internal bookkeeping separate from x/bank
+type Keeper struct {
+    // Internal tracking of balances
+    userBalances map[string]sdk.Coins  // NOT synchronized with x/bank!
+}
+
+func (k Keeper) Deposit(ctx sdk.Context, user string, amount sdk.Coins) {
+    // Updates internal bookkeeping
+    k.userBalances[user] = k.userBalances[user].Add(amount...)
+
+    // Also updates x/bank
+    k.bankKeeper.SendCoins(ctx, sender, moduleAccount, amount)
+}
+
+// PROBLEM: Direct IBC transfer bypasses internal bookkeeping!
+// User receives tokens via IBC -> x/bank updated but userBalances not updated
+// Invariant violated: sum(userBalances) != bankKeeper.GetSupply()
+```
+
+**What to Check**:
+- [ ] No custom balance tracking alongside x/bank
+- [ ] OR custom tracking uses blocklist to prevent unexpected transfers
+- [ ] Invariant checks compare internal accounting to x/bank
+- [ ] IBC transfers handled correctly
+- [ ] Module accounts use SendEnabled parameter
+
+**Mitigation**:
+```go
+// OPTION 1: Use blocklist to prevent unexpected transfers
+func (k Keeper) BeforeTokenTransfer(ctx sdk.Context, from, to string) error {
+    // Block all transfers except through our module
+    if !k.IsAuthorizedTransfer(ctx, from, to) {
+        return errors.New("direct transfers blocked")
+    }
+    return nil
+}
+
+// OPTION 2: Use SendEnabled parameter
+// In x/bank params, set SendEnabled = false for your token
+// All transfers must go through your module
+
+// OPTION 3: Don't maintain separate bookkeeping
+// Use x/bank as source of truth, query when needed
+func (k Keeper) GetUserBalance(ctx sdk.Context, user string) sdk.Coins {
+    addr := sdk.AccAddress(user)
+    return k.bankKeeper.GetAllBalances(ctx, addr)
+}
+```
+
+**Invariant Testing**:
+```go
+// Invariant: Internal accounting matches x/bank
+func (k Keeper) InvariantCheck(ctx sdk.Context) error {
+    internalTotal := sdk.NewCoins()
+    for _, balance := range k.userBalances {
+        internalTotal = internalTotal.Add(balance...)
+    }
+
+    moduleBalance := k.bankKeeper.GetAllBalances(ctx, k.moduleAccount)
+
+    if !internalTotal.IsEqual(moduleBalance) {
+        return fmt.Errorf("bookkeeping mismatch: internal=%v bank=%v",
+            internalTotal, moduleBalance)
+    }
+    return nil
+}
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/broken_bookkeeping
+
+---
+
+### 4.7 ROUNDING ERRORS ⚠️ MEDIUM
+
+**Description**: `sdk.Dec` type has precision issues and lacks associativity, causing rounding errors that can be exploited or cause incorrect calculations.
+
+**Detection Patterns**:
+```go
+// VULNERABLE: Division before multiplication (loses precision)
+sharePrice := totalValue.Quo(totalShares)  // Division first
+userValue := sharePrice.Mul(userShares)    // Multiplication second
+// User gets less value due to rounding down in division
+
+// VULNERABLE: sdk.Dec associativity issues
+a := sdk.NewDec(1)
+b := sdk.NewDec(10)
+c := sdk.NewDec(100)
+
+result1 := a.Mul(b).Quo(c)  // (1 * 10) / 100 = 0.1
+result2 := a.Quo(c).Mul(b)  // (1 / 100) * 10 = 0.1 (but different precision!)
+// result1 != result2 due to precision handling
+
+// VULNERABLE: Repeated rounding favors users
+for _, user := range users {
+    reward := totalReward.Quo(sdk.NewDec(len(users)))  // Round each time
+    k.MintReward(ctx, user, reward)
+}
+// Total minted > totalReward due to rounding up
+```
+
+**What to Check**:
+- [ ] Multiplication before division pattern used
+- [ ] Rounding direction favors protocol, not users
+- [ ] No repeated rounding in loops
+- [ ] Consistent calculation order across all operations
+- [ ] Consider using integer arithmetic with scaling factor
+
+**Mitigation**:
+```go
+// SECURE: Multiply before divide (preserves precision)
+userValue := totalValue.Mul(userShares).Quo(totalShares)
+// Full precision maintained until final division
+
+// SECURE: Round in favor of system
+// When distributing rewards, round down (users get slightly less)
+reward := totalReward.Mul(userShares).QuoTruncate(totalShares)
+
+// When calculating fees, round up (users pay slightly more)
+fee := amount.Mul(feeRate).QuoCeil(sdk.NewDec(10000))
+
+// SECURE: Distribute with remainder handling
+totalDistributed := sdk.ZeroDec()
+for i, user := range users {
+    if i == len(users)-1 {
+        // Last user gets remainder to ensure sum is exact
+        reward = totalReward.Sub(totalDistributed)
+    } else {
+        reward = totalReward.Quo(sdk.NewDec(len(users)))
+        totalDistributed = totalDistributed.Add(reward)
+    }
+    k.MintReward(ctx, user, reward)
+}
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/rounding_errors
+
+---
+
+### 4.8 UNREGISTERED MESSAGE HANDLER ⚠️ MEDIUM (Legacy Issue)
+
+**Description**: Message types defined in proto but not registered in `NewHandler` function cause messages to be accepted but silently ignored (pre-Cosmos SDK v0.47).
+
+**Detection Patterns**:
+```go
+// VULNERABLE: Message defined but not in handler (legacy Msg Service)
+// In types/msgs.proto
+message MsgWithdraw {
+    string sender = 1;
+    string amount = 2;
+}
+
+// In handler.go
+func NewHandler(k keeper.Keeper) sdk.Handler {
+    return func(ctx sdk.Context, msg sdk.Msg) (*sdk.Result, error) {
+        switch msg := msg.(type) {
+        case *types.MsgDeposit:
+            return handleMsgDeposit(ctx, k, msg)
+        // Missing: case *types.MsgWithdraw
+        default:
+            return nil, sdkerrors.ErrUnknownRequest
+        }
+    }
+}
+```
+
+**What to Check**:
+- [ ] Using Cosmos SDK v0.47+ with automatic handler registration
+- [ ] OR all message types in proto have corresponding handler case
+- [ ] Integration tests call all message types
+- [ ] CI checks for unregistered messages
+
+**Mitigation**:
+```go
+// OPTION 1: Use modern SDK (v0.47+) - handlers auto-registered
+// In msg_server.go
+type msgServer struct {
+    Keeper
+}
+
+func (s msgServer) Deposit(ctx context.Context, msg *types.MsgDeposit) (*types.MsgDepositResponse, error) {
+    // Handler automatically registered via protobuf service
+}
+
+func (s msgServer) Withdraw(ctx context.Context, msg *types.MsgWithdraw) (*types.MsgWithdrawResponse, error) {
+    // Handler automatically registered
+}
+
+// OPTION 2: Verify all messages registered (legacy)
+func NewHandler(k keeper.Keeper) sdk.Handler {
+    return func(ctx sdk.Context, msg sdk.Msg) (*sdk.Result, error) {
+        switch msg := msg.(type) {
+        case *types.MsgDeposit:
+            return handleMsgDeposit(ctx, k, msg)
+        case *types.MsgWithdraw:  // Ensure all messages present!
+            return handleMsgWithdraw(ctx, k, msg)
+        default:
+            return nil, sdkerrors.ErrUnknownRequest
+        }
+    }
+}
+```
+
+**Testing**:
+```go
+// Integration test for all message types
+func TestAllMessageTypes(t *testing.T) {
+    // Get all message types from proto
+    messageTypes := getAllProtoMessageTypes()
+
+    for _, msgType := range messageTypes {
+        // Verify message can be submitted and processed
+        result, err := app.DeliverTx(ctx, msgType)
+        require.NoError(t, err)
+        require.NotNil(t, result)
+    }
+}
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/message_handler_missing
+
+---
+
+### 4.9 MISSING ERROR HANDLER ⚠️ HIGH
+
+**Description**: Ignoring error return values from keeper methods (especially `bankKeeper.SendCoins`) allows invalid operations to silently succeed.
+
+**Detection Patterns**:
+```go
+// VULNERABLE: Ignored error from SendCoins
+func (k Keeper) Withdraw(ctx sdk.Context, user string, amount sdk.Coins) {
+    // Error ignored! Withdrawal appears successful even if SendCoins fails
+    k.bankKeeper.SendCoins(ctx, moduleAccount, user, amount)
+
+    // Update state assuming withdrawal succeeded
+    k.DecrementBalance(ctx, user, amount)
+}
+
+// VULNERABLE: Deferred error handling too late
+func (k Keeper) ProcessBatch(ctx sdk.Context, txs []Transaction) {
+    for _, tx := range txs {
+        err := k.ProcessTransaction(ctx, tx)
+        // Error not checked, continues processing!
+    }
+}
+```
+
+**What to Check**:
+- [ ] ALL keeper method calls check error return values
+- [ ] `bankKeeper.SendCoins()` errors always handled
+- [ ] State updates only occur after successful operation
+- [ ] Errors propagated to caller
+- [ ] Use linters to detect ignored errors (errcheck)
+
+**Mitigation**:
+```go
+// SECURE: Check all errors
+func (k Keeper) Withdraw(ctx sdk.Context, user string, amount sdk.Coins) error {
+    // Check error from SendCoins
+    if err := k.bankKeeper.SendCoins(ctx, moduleAccount, user, amount); err != nil {
+        return err  // Withdrawal failed, no state change
+    }
+
+    // Only update state if SendCoins succeeded
+    k.DecrementBalance(ctx, user, amount)
+    return nil
+}
+
+// SECURE: Stop processing on first error
+func (k Keeper) ProcessBatch(ctx sdk.Context, txs []Transaction) error {
+    for _, tx := range txs {
+        if err := k.ProcessTransaction(ctx, tx); err != nil {
+            return fmt.Errorf("transaction failed: %w", err)
+        }
+    }
+    return nil
+}
+```
+
+**Linter Configuration**:
+```yaml
+# .golangci.yml
+linters:
+  enable:
+    - errcheck  # Detect unchecked errors
+    - goerr113  # Error handling rules
+
+linters-settings:
+  errcheck:
+    check-blank: true  # Flag _ = err
+    check-type-assertions: true
+```
+
+**References**: building-secure-contracts/not-so-smart-contracts/cosmos/missing_error_handler
+
+---