Open howlbot-integration[bot] opened 5 months ago
sponsor confirmed
Reasoning
$ cantod q auth bech32-prefix
bech32_prefix: cosmos
As shown above, the output of the cantod q auth bech32-prefix
query is cosmos
, which is the default value of the cosmos-sdk.
High
→ Low
bech32Prefix
set in NewAccountKeeper is only used in getBech32Prefix(), and this function is only used in the bech32-prefix query.Patch
// use custom Ethermint account for contracts
app.AccountKeeper = authkeeper.NewAccountKeeper(
appCodec,
runtime.NewKVStoreService(keys[authtypes.StoreKey]),
ethermint.ProtoAccount,
maccPerms,
authcodec.NewBech32Codec(sdk.GetConfig().GetBech32AccountAddrPrefix()),
- sdk.Bech32MainPrefix,
+ sdk.GetConfig().GetBech32AccountAddrPrefix()),
authtypes.NewModuleAddress(govtypes.ModuleName).String(),
)
I agree with the sponsor, the faulty one is only used by the GRPC query server, while the application logic is consistently using the proper configuration.
While the issue is valid and somewhat annoying for users who can't rely on the RPC query output, I don't see grounds to justify an H or M severity
3docSec changed the severity to QA (Quality Assurance)
3docSec marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/ethermint-main/app/app.go#L373
Vulnerability details
According to breaking changes:
https://github.com/cosmos/cosmos-sdk/pull/9759
While this is added, Canto uses hardcoded default one from Cosmos SDK:
ethermint-main/app/app.go
github.com/cosmos/cosmos-sdk@v0.50.6/types/address.go
It is "cosmos", while ethermint overrides it to custom
ethm
inethermint-main/cmd/config/config.go
:Which is then used in
ethermintd
on startup:As a sidenote, tendermint docs mention that accounts have
eth
prefix. Similarly, Evmos, while successor to Tendermint, usesevmos
prefix according to the docs.This is problematic in case of messages, that translate Bech32 addresses to EVM compatible addresses, like usage of
msg.Sender
.Impact
Failing account validation during bech32 to EVM address conversion.
Proof of Concept
When converting the address from Bech32 to EVM, the following is called:
And inside,
GetBech32AccountAddrPrefix()
takes the prefix from address:Finally,
GetFromBech32()
decodes the address and verifies that the prefix passed is the same asconfig.bech32AddressPrefix
:So, while the bech32 prefix is hardcoded to
cosmos
inethermint-main/app/app.go
, here it's taken from the config and it has value ofethm
.Because of this all functions requiring authority may stop working. E.g. in
ethermint-main/x/evm/keeper/msg_server.go
:The same occurs with verifying msg.sender:
canto-main/x/erc20/keeper/msg_server.go
:Tools Used
Manual Review
Recommended Mitigation Steps
The best option seems to be using
cosmos/cosmos-sdk@v0.50.6/types/config.go#GetBech32AccountAddrPrefix()
and make sure thataccount_addr
config property is set. This way,sdk.AccAddressFromBech32()
will not error out, because there won't be an address mismatch.Exemplary fix diff:
Assessed type
Invalid Validation