Some fields in transaction are not authenticated by signature

[yihuang]

System info: ethermint main

Steps to reproduce:

Some fields in transaction are not signed:

• the fields in the wrapping cosmos tx
• the redundant From field in the MsgEthereumTx

Attacker is free to change these fields and tx is still valid.

Expected behavior: Can't modify tx without resigning.

Actual behavior: Can modify tx without resigning.

Additional info:

We should verify those fields against a constant value.

[leejw51crypto]

it's overwritten
in func (esvd EthSigVerificationDecorator) AnteHandle

// set up the sender to the transaction field if not already
 msgEthTx.From = sender.Hex()

how about adding in rpc client side?

[yihuang]

The issue is it don't verify the content before override it.

[tomtau]

@Muggle-Du is looking into this issue

[JayT106]

@Muggle-Du is looking into this issue

is @Muggle-Du still looking into it?

[adu-web3]

@Muggle-Du is looking into this issue

is @Muggle-Du still looking into it?

Yes, I'm still looking into this.
And I need some help about this issue.
Currently, the tx on wire is a private type, so we can’t simply inspect the internals and do validation.
So why don't we directly broadcast MsgEthereumTx instead of using a wrapper, since MsgEthereumTx had already implemented sdk.tx?
Or can you propose any other workarounds?

[tomtau]

@fedekunze

[leejw51crypto]

adding "from" null as part of consensus.
and other tx fields (not included in eth) as null
so keeping eth verification compatibility.

currently, it's ignored in ante-handler level. so any data is accepted.