Open code423n4 opened 2 years ago
I would classify this as not a bug. There's no clear reason provided why this would cause gas estimation to fail, and even if it did there's also no clear reason why it would panic and halt the orchestrator, gas estimations are handled here
If there's a possible exploit here we need more details to make any sort of conclusion.
Agreed with Justin, the attack is not apparent to me and more details needed if there's indeed a specific reason
reopening as per judges assessment as "primary issue" on findings sheet
Handle
hack3r-0m
Vulnerability details
https://github.com/althea-net/cosmos-gravity-bridge/blob/92d0e12cea813305e6472851beeb80bd2eaf858d/orchestrator/ethereum_gravity/src/logic_call.rs#L187
Add a check for
call.logic_contract_address
to make sure it is not the same as gravity contract to avoid panics from the orchestrator (by failing gas estimations)