sherlock-admin4
commented
1 month ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
Reputer and workers info can be overwritten via LibP2PKey
Closed sherlock-admin3 closed 1 month ago
sherlock-admin4
commented
1 month ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
Reputer and workers info can be overwritten via LibP2PKey
sherlock-admin2
commented
1 month ago The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/458
lemonmon
Medium
msg_server_registerations::Registerwill overwrite reputerInfo, which can be used to sabotage other reputersSummary
Reputer information in the
reputersMap can be overwritten. An adversary may abuse it to exclude reputers' report from the payloads by other honest reputer head nodes.Vulnerability Detail
In the
allora-inference-base'sappchain::SendReputerModeData, the leader node will call the allora chain to get the other reputer's information viaGetReputerAddressByP2PKey:https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-inference-base/cmd/node/appchain.go#L546
The
Addressof the resulting reputer info will be used to ignore multiple entries from the same address. Specifically, the node will include only the first entry per address. It means if multiple peers have the same allora address in the allora chain viaGetReputerAddressByP2PKey, only first entry from the peers will be included by the leader node.https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-inference-base/cmd/node/appchain.go#L557
The
GetReputerAddressByP2PKeyfrom allora-chain returns theOwneraddress from thereputersMap:https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/keeper/keeper.go#L1509
On the
allora-chain, one can register a reputer viaRegistertransaction. It will eventually triggermsg_server_registrations::Registerfunction.In the
Registerfunctionmsg_register.Validatewill be called and it will validate that the length ofLibP2PKey.After the registration fee is paid,
InsertReputerwill be called:https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/keeper/msgserver/msg_server_registrations.go#L50
Which will update the
topicReputersKeySet andreputersMap.In the case that there is already an entry for the given
LibP2PKey, it will overwrite the existing entry with the new information.If somebody puts the same owner address for multiple
LibP2PKey, only one of these peers will be included in the reputer payload.Also, the
Owneraddress does not need to be the Sender's address, so it can be set to any address.Impact
An adversary can sabotage other reputers.
Code Snippet
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/keeper/msgserver/msg_server_registrations.go#L50
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-inference-base/cmd/node/appchain.go#L546
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-inference-base/cmd/node/appchain.go#L557
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/keeper/keeper.go#L1509
Tool used
Manual Review
Recommendation
consider validating the
LibP2PKeyDuplicate of #111