Open soreatu opened 4 years ago
Hi
Thanks for your submission. We have tested the issue you mentioned and did reproduce it. This is a valid vulnerability. After evaluation, this vulnerability has been graded as P2. Please pay attention to the announcement to get your rewards. Thanks for your attention and contribution. Please keep trying and help us improve our chain.
Regards KuChain Team
Describe The Bug There exists no negative check for the
Amount
field inMsgIssueCoinData
andMsgBurnCoinData
when handlingMsgIssueCoin
andMsgBurnCoin
. The attacker can sends aMsgIssueCoin
transaction which contains a negativeAmount
. This transaction will be executed successfully. As a consequence, the coin amount can be set as a negative value, which is an unexpected result. Similarly, the attacker can also sends aMsgBurnCoin
transaction which contains a huge negativeAmount
, and this will be executed successfully as well. Through this way, the coin creator can make the coinSupply
go far beyond theMaxSupply
limitation and get huge amounts of coins, which seriously disrupts the market order.First, we show how the coin amount can be set as negative, by sending a
MsgIssueCoin
transaction.Code Snippets(Optional) /x/asset/client/cli/issue.go:L47-52
Input/Output
To Reproduce
amount.Amount = amount.Amount.Neg()
in the client code located at /x/asset/client/cli/issue.go:L52, as shown in theCode Snippets
.Expected Behavior Return an error "The amount of coin cannot be negative."
Screenshots First query:
Second query:
Next, we show how the coin creator can go through the
MaxSupply
limitation and get a large amounts of coins, by sending aMsgBurnCoin
transaction.The client code doesn't implement the
burn
command, so we need to implement one by ourselves.Code Snippets(Optional) Create a file
burn.go
under the dircetory/x/asset/client/cli/
populated with the following code.Add the
Burn
function to the command line. /x/asset/client/cli/tx.go:L19-38Modify the
NewMsgBurn
function. /x/asset/types/msgs.go:L85-86Input/Output
To Reproduce
Code Snippets
Expected Behavior Return an error "The amount of coin cannot be negative."
Screenshots
Desktop (please complete the following information):
Additional Context (Optional) For some reason, we cannot create a transaction with negative
Amount
through command line, so we modify the client code for our purposes. Note that, although the client code doesn't implementNewMsgBurn
, the server does indeed supportMsgBurnCoin
. So, we can implement one following the example ofNewMsgIssue
, and use that to trigger the vulnerability.Contact Information
xiang.yin@chaitin.comblockchain@chaitin.com