Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

πŸ›‘οΈ Outdated Vesting module poses multiple risks #620

Closed
ccamel opened this issue May 15, 2024 · 0 comments Β· Fixed by #634
Closed

πŸ›‘οΈ Outdated Vesting module poses multiple risks #620

ccamel opened this issue May 15, 2024 · 0 comments Β· Fixed by #634
Assignees
@bdeneux
Labels
security audit Categorizes an issue or PR as relevant to Security Audit

Comments

@ccamel
Copy link
Member

ccamel commented May 15, 2024
edited
Loading

Note

Severity: Medium
target: v7.1.0 - Commit: 3c854270b006db30aa3894da2cdba10cc31b8c5f
Ref: OKP4 Blockchain Audit Report v1.0 - 02-05-2024 - BlockApex

Description

The following distinct but related vulnerabilities have been identified and manually verified by the team.

  1. BlockedAddress Input Validation: This issue involves insufficient validation mechanisms for BlockedAddress entries. The lack of rigorous validation allows for the potential misuse of blockchain resources, compromising the security of transactions.
  2. Sanity Checks for PeriodicVestingAccount: In msg_server.go, this vulnerability arises from inadequate sanity checks during the creation of a PeriodicVestingAccount. Specifically, the system does not correctly handle cases where EndTime values are negative or overflow, which can result in system crashes or undefined behavior.
  3. Faulty GRPC Query Tally: In grpc_query.go, the query for a failed proposal tally incorrectly attempts to tally votes anew instead of fetching the final tally result from proposal.FinalTallyResult, after votes have been removed post-failure. This results in inaccurate or impossible query responses.

Recommendation

The vesting module should refer to the correct upstream repository of cosmossdk/x/auth/vesting to ensure all security patches are correctly applied.

References
@github-project-automation github-project-automation bot moved this to πŸ“‹ Backlog in πŸ’» Development May 15, 2024
@ccamel ccamel added the security audit Categorizes an issue or PR as relevant to Security Audit label May 15, 2024
@github-project-automation github-project-automation bot moved this to πŸ“‹ Backlog in πŸ’» Development May 15, 2024
@ccamel ccamel moved this from πŸ“‹ Backlog to πŸ“† To do in πŸ’» Development May 15, 2024
@ccamel ccamel moved this from πŸ“† To do to πŸ— In progress in πŸ’» Development May 17, 2024
@bdeneux bdeneux linked a pull request May 17, 2024 that will close this issue
πŸ”ƒ Update vesting module to cosmos-sdk v0.50.6 #634
Merged
@github-project-automation github-project-automation bot moved this from πŸ“‹ Backlog to βœ… Done in πŸ’» Development Jun 5, 2024
@github-project-automation github-project-automation bot moved this from πŸ— In progress to βœ… Done in πŸ’» Development Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bdeneux bdeneux

Labels
security audit Categorizes an issue or PR as relevant to Security Audit
Projects
πŸ’» Development
Status: βœ… Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

πŸ”ƒ Update vesting module to cosmos-sdk v0.50.6 axone-protocol/axoned
2 participants
@ccamel @bdeneux