Closed c4-bot-6 closed 4 months ago
Warden will be acting as the judge for this audit and therefore, has agreed to forfeit their submissions and will not be eligible for awards for this audit.
CloudEllie marked the issue as duplicate of #27
3docSec marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/canto-main/proto/canto/coinswap/v1/tx.proto#L97
Vulnerability details
Before Cosmos SDK v0.50, the
GetSigners
method was used to specify what addresses are required to sign a transactional message. With Cosmos SDK v0.50 this method has been dropped and replaced with the declarativecosmos.msg.v1.signer
protobuf tag.This tag was applied by the team correctly in most places, however, for MsgSwapOrder, the annotation points to a nested
Input
message, which however does not have acosmos.msg.v1.signer
to resolve the signer indirectly:Impact
The messages
MsgSwapOrder
will always fail on the Canto node.Proof of Concept
The issue can be verified by adding the following test in the
app
folder:canto-main/app/signers_test.go
```go package app import ( "cosmossdk.io/x/tx/signing" coinswapapi "github.com/Canto-Network/Canto/v7/api/canto/coinswap/v1" "github.com/cosmos/cosmos-sdk/codec/address" sdk "github.com/cosmos/cosmos-sdk/types" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "testing" ) func TestMsgSwapOrderSigners(t *testing.T) { sw := coinswapapi.MsgSwapOrder{ Input: &coinswapapi.Input{Address: "something"}, } ctx, err := signing.NewContext(signing.Options{ AddressCodec: address.Bech32Codec{ Bech32Prefix: sdk.GetConfig().GetBech32AccountAddrPrefix(), }, ValidatorAddressCodec: address.Bech32Codec{ Bech32Prefix: sdk.GetConfig().GetBech32ValidatorAddrPrefix(), }, }) require.NoError(t, err) signers, err := ctx.GetSigners(&sw) require.NoError(t, err) assert.Equal(t, 1, len(signers)) assert.Equal(t, "something", signers[0]) } ```Its output is:
Tools Used
Code review
Recommended Mitigation Steps
Consider adding a
DefineCustomGetSigners
call inapp.go
for the x/coinswap module'sInput
message, as done forMsgConvertERC20
.Alternatively, consider adding a
cosmos.msg.v1.signer
tag to the x/coinswap module'sInput
message, pointing to itsaddress
field.Assessed type
Invalid Validation