This proposal is being submitted to upgrade the Shentu Chain to v2.1.0 in response to a tx malleability bug addressed in the Cosmos SDK v0.44 security release. This is a simple binary replacing upgrade and the chain-id will not be bumped. All node operators should upgrade their software version from v2.0.0 to v2.1.0 at the block height 4421700 (estimated Wed Sep 8th, 2021 at 16:00 UTC).
In Cosmos SDK v0.42.x, which is what Shentu is currently on, if the client submitted a tx and thereafter received a failed response, there exists a non-negligible probability that said tx might've had still gone out to the network with a different hash that's unknown to the client. As the client wouldn't be able to query the tx on-chain and the perception to the user was that the first attempt had failed, the user would be at risk of being maliciously tricked into signing and submitting the same tx twice.
As a mitigation we have decided to plan out a coordinated network upgrade and bump up the chain to v2.1.0 in which the necessary query paths would've been added so tx can be queried by signature or address+sequence. This way a tx response is only returned if it had already been successfully broadcast in the first place. Additionally in this release we will also have a fix for the staking module where unbondings and validator updates are not being properly processed in endblocker.
CertiK v2.0.0