Open code423n4 opened 2 years ago
This was resolved here
https://github.com/althea-net/cosmos-gravity-bridge/commit/ad6bd78d4c968c3eef5a8ab7a38b42cd3269d186
This is a valid bug considering this fix is not included in the code hash up for review.
reopening as per judges assessment as "primary issue" on findings sheet
Handle
jmak
Vulnerability details
Impact
Detailed description of the impact of this finding. The SubmitBadSignatureEvidence is not actually registered in the handler and hence no one can actually submit this message, rendering the message useless. This harms the security model of Gravity since validators have no disincentive to attempt to collude and take over the bridge.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. The SubmitBadSignatureEvidence handler is omitted from module/x/gravity/handler.go
Tools Used
Visual inspection
Recommended Mitigation Steps
Handle the MsgSubmitBadSignatureEvidence in module/x/gravity/handler.go.