axoned icon indicating copy to clipboard operation
axoned copied to clipboard

Published 20 hours ago verified publisher icon axone-protocol

🛡️ Outdated Vesting module poses multiple risks

Open ccamel opened this issue 1 year ago • 0 comments

Severity: Medium target: v7.1.0 - Commit: 3c854270b006db30aa3894da2cdba10cc31b8c5f Ref: OKP4 Blockchain Audit Report v1.0 - 02-05-2024 - BlockApex

Description

The following distinct but related vulnerabilities have been identified and manually verified by the team.

  1. BlockedAddress Input Validation: This issue involves insufficient validation mechanisms for BlockedAddress entries. The lack of rigorous validation allows for the potential misuse of blockchain resources, compromising the security of transactions.
  2. Sanity Checks for PeriodicVestingAccount: In msg_server.go, this vulnerability arises from inadequate sanity checks during the creation of a PeriodicVestingAccount. Specifically, the system does not correctly handle cases where EndTime values are negative or overflow, which can result in system crashes or undefined behavior.
  3. Faulty GRPC Query Tally: In grpc_query.go, the query for a failed proposal tally incorrectly attempts to tally votes anew instead of fetching the final tally result from proposal.FinalTallyResult, after votes have been removed post-failure. This results in inaccurate or impossible query responses.

Recommendation

The vesting module should refer to the correct upstream repository of cosmossdk/x/auth/vesting to ensure all security patches are correctly applied.

References

ccamel avatar May 15 '24 09:05 ccamel