x/staking: MsgUpdateParams allows setting bond_denom to non-existent denom

[masihyeganeh]

Summary

The staking module allows updating bond_denom via governance (MsgUpdateParams) without validating that the denom exists on-chain. Setting bond_denom to a non-existent denom causes staking and validator power logic to reference a denom that does not exist in the bank module, placing the chain into an unsafe and fragile state.

---

Environment

• Cosmos-SDK versions: All versions
• Module: x/staking
• Governance: Gov v1 (MsgUpdateParams)

---

Description

The bond_denom staking parameter can be modified via governance using MsgUpdateParams. There is currently no validation ensuring that the new bond_denom exists in the bank module or has any supply.

When bond_denom is changed to a non-existent denom:

• Existing bonded stake remains recorded under the previous denom and is not automatically migrated.
• New staking operations, power updates, and supply queries reference the new denom, which does not exist.

This creates an inconsistent staking state where parts of the staking and distribution logic operate against a denom that has no backing supply, increasing the risk of consensus failures and operational breakage over time.

---

Steps to Reproduce

1. Submit and pass a governance proposal using MsgUpdateParams to update staking.params.bond_denom to a denom that does not exist on the chain.
2. Allow the proposal to be executed.
3. Observe that staking-related logic references a denom that does not exist, while existing bonded stake remains unchanged.

Example proposal payload:

{
  "messages": [
    {
      "@type": "/cosmos.staking.v1beta1.MsgUpdateParams",
      "authority": "xxxx",
      "params": {
        "unbonding_time": "604800s",
        "max_validators": 64,
        "max_entries": 7,
        "historical_entries": 10000,
        "bond_denom": "nonexistingdenom",
        "min_commission_rate": "0.050000000000000000"
      }
    }
  ],
  "metadata": "changing bond denom to a non-existing one",
  "deposit": "40000000000xxxx",
  "title": "changing bond denom to a non-existing one",
  "summary": "changing bond denom to a non-existing one",
  "expedited": true
}

---

Actual Behavior

• bond_denom is updated to a denom that does not exist in x/bank.
• Existing bonded stake remains unchanged.
• New staking-related logic references a non-existent denom.

---

Expected Behavior

One of the following should be enforced:

• Reject bond_denom updates unless the denom exists in the bank module.
• Require the denom to have non-zero total supply.
• Disallow changing bond_denom after genesis.

Governance should not be able to introduce inconsistent staking state via parameter updates.

---

Impact

This is a high-risk governance footgun:

• Core staking assumptions are violated.
• Staking, distribution, and validator power updates can behave unexpectedly.
• Recovery required a coordinated chain upgrade to restore a valid bond_denom.

[linear]

SDK-439