search

sherlock-audit / 2024-06-allora-judging

0 stars 0 forks source link

404Notfound - Insecure Implementation of Transaction Validation #98

Closed sherlock-admin2 closed 4 months ago

sherlock-admin2 commented 4 months ago

404Notfound

Medium

Insecure Implementation of Transaction Validation

Summary

All the TX msgs lack implementing ValidateBasic().

Vulnerability Detail

During the audit process, it was identified that the x/emission and x/mint modules do not implement the HasValidateBasic interface for any transaction message. This interface is responsible for performing a stateless validation check on any message before the transaction is added to the mempool. The ValidateBasic() function is defined as follows:

HasValidateBasic interface {
    // ValidateBasic does a simple validation check that
    // doesn't require access to any other information.
    ValidateBasic() error
}

The lack of implementation of this interface allows invalid transactions to be added to the mempool, which may largely increase the risk of Denial of Service (DoS) attacks and compromising the stability of the blockchain.

Impact

The lack of implementation of this interface allows invalid transactions to be added to the mempool, which may largely increase the risk of Denial of Service (DoS) attacks and compromising the stability of the blockchain.

Code Snippet

https://github.com/sherlock-audit/2024-06-allora/blob/4e1bc73db32873476f8b0a88945815d3978d931c/allora-chain/x/emissions/api/v1/tx.pulsar.go

Tool used

Manual Review

Recommendation

It is recommended that the x/emission and x/mint modules implement the HasValidateBasic interface and provide a proper implementation of the ValidateBasic() function for any transaction message to ensure that invalid transactions are rejected before being added to the mempool. An example from CosmosSDK, https://github.com/cosmos/cosmos-sdk/blob/2e0e6d87760425c06fe81b5d133f6963f8d6fb6a/x/group/types.go#L332