Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

No negative check for amount in lockcoins #16

Open
msjyryxdzzj opened this issue Jul 31, 2020 · 2 comments
Open

No negative check for amount in lockcoins #16

msjyryxdzzj opened this issue Jul 31, 2020 · 2 comments
Labels
bug Something isn't working

Comments

@msjyryxdzzj
Copy link

msjyryxdzzj commented Jul 31, 2020

Describe The Bug

There exists no negative check forAmount field in MsgLockCoinData when handling lockcoins.The attacker can lock a negative coin, and then his spendable coin will increase. Although the spendable coin is temporarily in the testing stage, this can be understood as the user's available assets, that is, the attacker can mint coins at will.
By exploiting this vulnerability, the attacker could lock a large negative coin to the account of himself, which disasterly destroy the whole ecosystem.
image
image

Code Snippets (Optional)

/x/asset/type/types.pb.go:L254-261:

type MsgLockCoinData struct {
	// Id lock account
	Id types.AccountID `protobuf:"bytes,1,opt,name=id,proto3" json:"id" yaml:"id"`
	// Amount coins to lock
	Amount github_com_cosmos_cosmos_sdk_types.Coins `protobuf:"bytes,2,rep,name=amount,proto3,castrepeated=github.com/cosmos/cosmos-sdk/types.Coins" json:"amount" yaml:"amount"`
	// UnlockBlockHeight the block height the coins unlock
	UnlockBlockHeight int64 `protobuf:"varint,3,opt,name=unlockBlockHeight,proto3" json:"unlockBlockHeight,omitempty" yaml:"unlockBlockHeight"`
}

TheAmount filed of the MsgLockCoinData struct can be set as a negative value.

To reproduce the vulnerability, we need to modify the source code a little bit.

Modify the client code to make the amount set as negative when constructing the lockcoins transction.
/x/asset/client/cli/lock.go:L20:60

func LockCoin(cdc *codec.Codec) *cobra.Command {
	...

	amount, err := sdk.ParseCoins(args[2])
	if err != nil {
		return err
	}
        amount[0].Amount = amount[0].Amount.Neg()
        ...
}

Input/Output

  1. Craft a MsgLockCoinData: '{"id":"kratos","amount":["-1000kratos/kts"],"UnlockBlockHeight":"9"}'
  2. Output: None

Steps to reproduce the behavior:

  1. Modify the source code as shown in the Code Snippets.
  2. make
  3. ./scripts/boot-testnet.sh ./
  4. ./build/ktscli query asset coins kratos
  5. ./build/ktscli tx asset lock kratos 9 1000kratos/kts --keyring-backend test --chain-id testing --home ./testing/cli/ --from kratos
  6. ./build/ktscli query asset locked kratos

Expected Behavior

Return an error "The amount of coin cannot be negative."

Screenshots

after the lockcoin transaction:
image

Desktop (please complete the following information):

OS: [macOS Catalina 10.15.6]

Additional Context (Optional)

Note: This problem not only exists in lockcoin(), many other places also have this problem.

Contact Information

zijun.zhao@chaitin.com

@msjyryxdzzj msjyryxdzzj changed the title No negative check for amount in lockcoins/unlockcoins No negative check for amount in lockcoins Jul 31, 2020
@Pisces-Anjou
Copy link
Contributor

Hi

Thanks for your submission.
We have tested the issue you mentioned and did reproduce it.
This is a valid vulnerability. After evaluation, this vulnerability has been graded as P2.
Please pay attention to the announcement and your email to get your rewards.
Thanks for your attention and contribution. Please keep trying and help us improve our chain.

Regards
KuChain Team

@Pisces-Anjou Pisces-Anjou added the bug Something isn't working label Aug 5, 2020
@msjyryxdzzj
Copy link
Author

We emphasize that this vulnerability is a very serious vulnerability, because lockcoin() a negative amount is a very easy thing, and it can increase the user’s available assets to achieve arbitrary coinage, and thus destroy the whole ecosystem.This is like having a money printing machine at home. I think this fits the description of P1 "Vulnerabilities that could undermine the safety of any user or validator's fund/fee" and "Vulnerabilities that could severely undermine trading or token economy", right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants