InnovationTheory
commented
2 months ago - Fixed an issue where an attacker could close a contract on behalf of others in the current implementation of Close Contract.
- Implemented ValidateBasic on MsgCloseContract to validate messages before sending them to the Close Contract handler.
- Added fields to the proto to ensure both the client and delegate exist when creating a contract.
- Implemented validation on messages and handlers to: -- Ensure only the client can close the contract. -- Throw an unauthorized error if anyone other than the client tries to close the contract. -- Verify the signatures of those who signed the contract.
haven't tested this, but see if this makes sense, might be missing something as usual: An attacker can close any contract.
For a CloseContract message, the delegate is used as the key for the contract via FetchSpender():
https://github.com/ArkeoNetwork/arkeo-protocol/blob/master/x/arkeo/types/message_close_contract.go#L57
If a target contract exists, an attacker can send a CloseContract message: { PubKey:, Delegate: , Client: }
This should pass ValidateBasic() and move on to the handler.
In the handler's validate, the contract is looked up using this delegate address, pulling down the target's contract. Since client is not set on the message, it then passes validation:
https://github.com/ArkeoNetwork/arkeo-protocol/blob/master/x/arkeo/keeper/msg_server_close_contract.go#L49-L55
In the handle function, the contract is again looked up by the delegate and the contract is settled, without the authorization of the target contract's client:
https://github.com/ArkeoNetwork/arkeo-protocol/blob/master/x/arkeo/keeper/msg_server_close_contract.go#L82