Observer can halt outbound cctxs and steal funds

[c4-bot-8]

Lines of code

https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/node/x/crosschain/keeper/msg_server_add_to_outtx_tracker.go#L34 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/node/x/crosschain/keeper/msg_server_add_to_intx_tracker.go#L49-L53 https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/node/x/crosschain/keeper/keeper_chain_nonces.go#L145

Vulnerability details

Impact

A single observer has too much power over the ZetaChain network, allowing them to halt outbound cctxs and steal funds.

Proof of Concept

Both the MsgAddToInTxTracker and MsgAddToOutTxTracker messages allow observers to add a transaction to the tracker without providing Merkle proof to verify if the transaction is valid.

This is a real risk to ZetaChain as a single malicious observer is able to cause significant harm.

For example, the MsgAddToInTxTracker message can be misused in the following ways:

1. Spam with the InTxTracker with a lot of transactions: Add transactions that will cause the zetaclients to fail/error while processing them -> this will cause the zetaclient to stop processing other legitimate messages in the ObserveTrackerSuggestions function. A tx with a hash that's non-existent causes the zetaclient to error and stops the current loop iteration of the tracker tx's
2. Add an inbound transaction that does not have one of the desired contracts as the tx.To. This causes the zetaclients to vote for a "fake" transaction which could forge Deposit or ZetaSent events. Consequently, this allows draining funds.

Similarly, trusting observers to not misbehave with MsgAddToOutTxTracker messages imposes a trust issue as well.

Moreover, a single malicious observer can mess with the external chain nonces by using the (deprecated) MsgNonceVoter message, halting outbound cctx's due to nonce mismatches.

Please note: This submission demonstrates the impact on cctxs while the "A single malicious observer can fill the block space with MsgGasPriceVoter messages without proper gas compensation resulting in griefing blocks" submission shows how the whole ZetaChain network (not only inbound/outbound cctx's) can be significantly impacted (and griefed) by a single observer.

Tools Used

Manual review

Recommended mitigation steps

Re-consider the trust model of the MsgAddToInTxTracker and MsgAddToOutTxTracker messages and possibly also require a Merkle proof from observers.

Assessed type

Access Control

[c4-pre-sort]

DadeKuma marked the issue as duplicate of #410

[c4-pre-sort]

DadeKuma marked the issue as sufficient quality report

[0xean]

@DadeKuma - can you please check this, not sure its a dupe of #410

[DadeKuma]

@0xean The main reasoning was that both issues rely on an observer escalation and the impact was similar; however, re-reading this, I agree that these might be considered separate issues, as they also have different mitigation steps.

[0xean]

thanks @DadeKuma for taking another pass, I am gonna treat it them as separate and welcome comments during QA about it.

[c4-judge]

0xean marked the issue as not a duplicate

[c4-judge]

0xean marked the issue as satisfactory

[c4-sponsor]

lumtis (sponsor) confirmed

[c4-judge]

0xean marked the issue as selected for report