search

sherlock-audit / 2024-06-allora-judging

0 stars 0 forks source link

0x416 - Lack of authorization when calling blockless API #128

Closed sherlock-admin2 closed 1 month ago

sherlock-admin2 commented 2 months ago

0x416

High

Lack of authorization when calling blockless API

Summary

Lack of authorization when calling blockless API

Vulnerability Detail

the code relies on the blockless api for certain action such as InferencesRequest and submit loss update

func makeApiCall(payload string) error {
    url := os.Getenv("BLOCKLESS_API_URL")
    method := "POST"

    client := &http.Client{}
    req, err := http.NewRequest(method, url, strings.NewReader(payload))
    if err != nil {
        return err
    }
    req.Header.Add("Accept", "application/json, text/plain, */*")
    req.Header.Add("Content-Type", "application/json;charset=UTF-8")

    res, err := client.Do(req)
    if err != nil {
        return err
    }
    defer res.Body.Close()

    return nil
}

However, the code does not add any authorization method such as JWT token

https://blockless.network/docs/reference/cli/identity-and-account

because of missing authorization to api call will revert and fails

Impact

api call when calling blockless api missing authorization and make all loss / inference update return error message.

Code Snippet

https://github.com/sherlock-audit/2024-06-allora/blob/4e1bc73db32873476f8b0a88945815d3978d931c/allora-chain/app/api.go#L166

Tool used

Manual Review

Recommendation

sherlock-admin2 commented 1 month ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

Report lacks detail

sherlock-admin2 commented 1 month ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/458

JeffCX commented 1 month ago

Escalate

the protocol still choose to fix it.

I think usually it is common to use JWT or authorization token to call api

and the api cannot be called plainly without such key.

so the issue should be medium

sherlock-admin3 commented 1 month ago

Escalate

the protocol still choose to fix it.

I think usually it is common to use JWT or authorization token to call api

and the api cannot be called plainly without such key.

so the issue should be medium

You've created a valid escalation!

To remove the escalation from consideration: Delete your comment.

You may delete or edit your escalation comment anytime before the 48-hour escalation window closes. After that, the escalation becomes final.

mystery0x commented 1 month ago

Escalate

the protocol still choose to fix it.

I think usually it is common to use JWT or authorization token to call api

and the api cannot be called plainly without such key.

so the issue should be medium

I don't think the report gives proper vulnerability details or POC to warrant Medium, and recommendation is empty too.

WangSecurity commented 1 month ago

I agree with the Lead Judge that this report lacks proof of an issue and how this would result in a loss. It looks as a recommendation to add authorization, rather than an issue.

Hence, planning to reject the escalation and leave the issue as it is.

Note: sponsor fixing the bug, doesn't mean it should be rewarded

WangSecurity commented 1 month ago

Result: Invalid Unique

sherlock-admin4 commented 1 month ago

Escalations have been resolved successfully!

Escalation status: