Cosmos-sdk: Attacker can submit TX with negative Fee minting tokens

Created on 12 Nov 2018  路  3Comments  路  Source: cosmos/cosmos-sdk

Summary of Bug

The StdTx.Fee can be set to a negative amount.

Since there is no validation both the FeePool will be corrupted and the first signature's balance increased.

This is a critical problem since any account can drain the fee pool and add the tokens to their own account.

Steps to Reproduce

Set StdTx to a negative Coins amount

For Admin Use

  • [x] Not duplicate issue
  • [x] Appropriate labels applied
  • [x] Appropriate contributors tagged
  • [x] Contributor assigned/self-assigned
bug critical
Source
picture hendrikhofstadt

Most helpful comment

Ref https://github.com/cosmos/cosmos-sdk/issues/1273, which would have prevented this entire class of bugs, of which there have been several so far.

picture cwgoes on 12 Nov 2018
👍3

All 3 comments

Ref https://github.com/cosmos/cosmos-sdk/issues/1273, which would have prevented this entire class of bugs, of which there have been several so far.

cwgoes picture cwgoes on 12 Nov 2018
👍3

Potentially fits the security tag as well.

@cwgoes I agree. Any particular reason #1273 has not been implemented yet ? That could also avoid a lot of redundant .LT(0) checks.

hendrikhofstadt picture hendrikhofstadt on 12 Nov 2018

Any particular reason #1273 has not been implemented yet?

Not any good one. We're on it.

cwgoes picture cwgoes on 12 Nov 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

faboweb picture faboweb  路  3Comments
ValarDragon picture ValarDragon  路  3Comments
cwgoes picture cwgoes  路  3Comments
rigelrozanski picture rigelrozanski  路  3Comments
ValarDragon picture ValarDragon  路  3Comments