Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bank.SendKeeper breaks intended least authority permissioning #2887

Closed
cwgoes opened this issue Nov 22, 2018 · 4 comments
Closed

bank.SendKeeper breaks intended least authority permissioning #2887

cwgoes opened this issue Nov 22, 2018 · 4 comments
Labels
T: Security

Comments

@cwgoes
Copy link
Contributor

cwgoes commented Nov 22, 2018
edited
Loading

bank.SendKeeper is intended only to allow transfers of coins between accounts, but in fact it allows arbitrary minting or burning of coins with keeper.inputOutputCoins, because the invariant inputs.Sum() == outputs.Sum() is only checked in ValidateBasic() on bank.MsgSend. Modules which are passed a bank.SendKeeper have just as much power as modules which are passed the full bank.BaseKeeper.

Recommended mitigation: remove inputOutputCoins from the sendKeeper (it isn't used in any other modules presently).
Alternative mitigation: repeat the necessary validation, which is very inexpensive, in the keeper.
cwgoes added a commit that referenced this issue Nov 22, 2018
@cwgoes
Update keepers.md, discovered #2887
449a0af
@cwgoes cwgoes mentioned this issue Nov 22, 2018
Merged
4 tasks
@alexanderbez
Copy link
Contributor

We'd need this for IBC, correct? I think my vote would be to remove it and possibly create a new IBC bank keeper which the IBC module uses?

@cwgoes
Copy link
Contributor Author

cwgoes commented Nov 23, 2018

We'd need this for IBC, correct? I think my vote would be to remove it and possibly create a new IBC bank keeper which the IBC module uses?

There already is such as keeper - BaseKeeper.

@alexanderbez
Copy link
Contributor

I mean BaseKeeper w/o I/O coins.

@cwgoes
Copy link
Contributor Author

cwgoes commented Nov 23, 2018

I see, sure; let's wait to see exactly what the IBC module needs to do first though.

cwgoes added a commit that referenced this issue Nov 29, 2018
@cwgoes
Merge PR #2853: Write bank module specification, check spec/code cons…
98caf44 
…istency

* Update PENDING.md

* New structure

* Start transactions section

* Remove MsgIssue

* Update keepers.md

* Add state.md

* Update keepers.md, discovered #2887

* Move inputOutputCoins to BaseKeeper

* Remove no-loner-applicable tests

* More spec updates

* Tiny cleanup

* Clarify storage rationale

* Warn the user

* Remove extra newline
mircea-c pushed a commit that referenced this issue Dec 4, 2018
@cwgoes
Merge PR #2853: Write bank module specification, check spec/code cons…
8254c33 
…istency

* Update PENDING.md

* New structure

* Start transactions section

* Remove MsgIssue

* Update keepers.md

* Add state.md

* Update keepers.md, discovered #2887

* Move inputOutputCoins to BaseKeeper

* Remove no-loner-applicable tests

* More spec updates

* Tiny cleanup

* Clarify storage rationale

* Warn the user

* Remove extra newline
@snyk-bot snyk-bot mentioned this issue Jan 12, 2022
Open
@snyk-bot snyk-bot mentioned this issue Feb 9, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
T: Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexanderbez @cwgoes