Open sherlock-admin3 opened 1 month ago
1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
OnRecvPacket doesn't have authentication
The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/453
defsec
Medium
Lack of Authentication in OnRecvPacket
Summary
The Axelar sample code acknowledges the importance of authenticating the message based on the channel ID, in addition to verifying the packet sender. However, the Allora chain's implementation does not include any channel ID/sender authentication logic.
Vulnerability Detail
In the provided code for the Allora chain's IBC middleware (
gmp/middleware.go
), theOnRecvPacket
function does not perform authentication based on the channel ID when processing incoming packets. This can potentially lead to security vulnerabilities and allow unauthorized or unintended processing of packets.Comparing it with the Axelar sample code (
gmp_middleware/middleware.go
), there is a commented-out TODO section that mentions the need for channel ID authentication:Impact
Without verifying the channel ID, the middleware may process packets from unintended or unauthorized channels. This can result in the execution of malicious or unexpected actions on the receiving chain.
Axelar Sample : https://github.com/axelarnetwork/evm-cosmos-gmp-sample/blob/main/native-integration/sample-middleware/gmp_middleware.go#L114
Code Snippet
ibc_middleware.go#L112-L113
Tool used
Manual Review
Recommendation
Modify the
OnRecvPacket
function to include a check that verifies the authenticity of the packet based on the channel ID/sender.