wormhole-foundation
CosmWasm Array Iteration May Lead to gas exhaustion in accountant/ntt accountant
When an observation has been submitted for a given transaction (sequence, chain id, emitter address), it is stored in a mapping (from the key above) to an array. If the digest between two observations is different, then the observation is added to the array
When trying to find the proper one, the find operation with an anonymous function is used. I don't know how Rust find or CosmWasm gas principles work very well, but anytime there is an unbounded array iteration it may be possible for a malicious actor to cause a loop so large that it runs out of gas.
Only Guardians can exploit this vulnerability by adding lots of observations for the same key over and over again. On the NTT or or token bridge, this may lead to a denial of service because if the TX on the accountant fails on Wormchain's accountant contract, then the whole transaction would just sit.
Affected Areas:
- https://github.com/wormhole-foundation/wormhole/blob/fa187bcf7317b7576b3e4af340dd6220ee4c91e6/cosmwasm/contracts/ntt-global-accountant/src/contract.rs#L237
- https://github.com/wormhole-foundation/wormhole/blob/fa187bcf7317b7576b3e4af340dd6220ee4c91e6/cosmwasm/contracts/global-accountant/src/contract.rs#L189
