`context.Context` should be used everywhere instead of `sdk.Context`. This can lead to incorrect interfaces.

[howlbot-integration[bot]]

Lines of code

https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/app/ante/interfaces.go#L13

Vulnerability details

Impact

sdk.Context is still used instead of context.Context, causing interface mismatch. I Won't go through all the instances in the project but there >400 places to update based on a vs code search for sdk.context

Proof of Concept

More information can be found here: https://github.com/cosmos/cosmos-sdk/blob/v0.50.6/UPGRADING.md

Specifically in the section Module.

Tools Used

Manual review

Recommended Mitigation Steps

Change sdk.Context to context.Context

Assessed type

Other

[poorphd]

• Label

  • sponsor disputed

• Reasoning: Deprecated but still usable

  • As of SDK 50, providers of the given modules have started accepting context.Context. Modules that use these keepers have transitioned to context.Context. However, sdk.Context can still be passed when using these keepers.
  • context.Context is an interface, while sdk.Context is an implementation of this interface. Consequently, using the current type won't result in any type errors.
  • Once SDK modules have switched to the context.Context type, they consistently call UnwrapSDKContext as opposed to using it directly. UnwrapSDKContext returns the original sdk.Context if the provided context implementation is sdk.Context, thus there are no practical issues.

• Severity

  • Mid → Not valid
  • The reasoning remains the same as above

[3docSec]

The linked docs explain how the Cosmos SDK changed the type of Context in their interfaces.

There is no evidence that applications like Canto need to drop the old one too.

[c4-judge]

3docSec marked the issue as unsatisfactory: Insufficient proof