Closed howlbot-integration[bot] closed 4 months ago
sponsor dispute
bytes.HexByte
has been changed to []byte
in the upgrade guide of SDK v0.50.x.bytes.HexByte
.bytes.HexByte
.Mid
→ not valid
The quote from the upgrade guide is about changes in the Cosmos SDK.
The "transfer" module comes instead from the IBC, and while it's likely it will change to use []bytes
, it didn't yet, so Canto has no other choice than supporting the signature with HexBytes.
3docSec marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/x/onboarding/types/interfaces.go#L70
Vulnerability details
Impact
tmbytes.HexBytes is not changed to []bytes cause incorrect interface implementation
Proof of Concept
According to https://github.com/cosmos/cosmos-sdk/blob/v0.50.6/UPGRADING.md
but in the current code,
In 2024-05-canto/canto-main/x/onboarding/types/interfaces.go
the link above explains how the donomTrace is used extensively in the codebase.
https://github.com/cosmos/ibc-go/blob/main/docs/architecture/adr-001-coin-source-tracing.md#xibc-transfer-changes
and then
and
the GetDenomTrace needs correct interface to not block code execution.
Tools Used
Manual Review
Recommended Mitigation Steps
change to
Assessed type
Other