Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AWARD: Ark Protocol Claim "1 - Best Auditor" #713

Closed
taitruong opened this issue Mar 23, 2023 · 5 comments
Closed

AWARD: Ark Protocol Claim "1 - Best Auditor" #713

taitruong opened this issue Mar 23, 2023 · 5 comments
Labels
award Claim award!

Comments

@taitruong
Copy link
Contributor

Award and Bug claim has been issued here: #158. We are splitting claim into 2 parts. This covers the Best Audtor Award claim.

Audits and reviews on NFT module and ICS721 wasm contract:

  1. audit and bugs identified
    i. 6 bugs during GoN and at least 2 before GoN - see here: AWARD: Ark Protocol Claim "5 - Bug Hunters" #705
    ii. both 2 critical bugs have been identified by team members of Ark Protocol:
    A. exploit token data on transfer (IBC receive/send packet) from source to target chain
    a) exploit and example here: AWARD: Ark Protocol Claim Best Auditor and/or Bug :) #158
    b) please also note the steps to reproduce in AWARD: Ark Protocol Claim Best Auditor and/or Bug :) #158. especiall this code snippet:
    let rugged_receiver = "stars1g0krhq56pmxmaz8lnj8h6jf55kcsq7x0lw5ywc";
    let receiver = deps.api.addr_validate(rugged_receiver)?;

This exploit is a honeypot, allowing exploiter to take ownership of NFT by overriding receiver address. In return exploiter can just send NFT back to 'official' collection and take ownership by passing any recipient of course - by doing a normal ICS (back) transfer.
Even if a collector would not fall into this honeypot trap. Exploiter can send itself to exploited contract on another chain, change metadata and send it back with modified token data - like with manipulated rare, legendaray traits for selling a former cheap NFT to a higher price.

B. exploit token data on response (IBC ACK packet) with ACK fail on back transfer from target back to source chain
  a) exploit explanation here: https://github.com/game-of-nfts/gon-evidence/issues/705#issuecomment-1481335082
  1. Spec reviews and contributions

image
image

More reviews:

@taramakage taramakage added the award Claim award! label Mar 24, 2023
@taitruong
Copy link
Contributor Author

There is a fix for avoiding stealing NFTs. The fix only checks whether NFT is escrowed. So exploiting an not send/not escrowed NFTs is not possible anymore. Nevertheless it is possible to steal an escrowed, from another custom ICS721 contract with a fake class id. The solution is: when receiving a back transfer dest channel must be checked against (outgoing) channel, at the time, when NFT was transferred to specific channel. This way it guarantees that during receival, nft module only accepts back transfer when source channel is the same, as the outgoing channel where it has previously been send to. See my comment here:

bianjieai/nft-transfer#12 (comment)

@taitruong
Copy link
Contributor Author

As mentioned together with IRISnet, Ark Protocol, has reviewed, supported and tested transfers between ICS721 wasm contract and nft module since Nov. 2022. Like these 2 issues have been identified and fixed:

  1. NonFungibleTokenPacketData uses camel case json encoding
    NonFungibleTokenPacketData uses camel case json encoding bianjieai/nft-transfer#2

image

  1. Fix: NFT package JSON encoding
    Fix: NFT package JSON encoding bianjieai/nft-transfer#7

image

@taitruong
Copy link
Contributor Author

There is a fix for avoiding stealing NFTs. The fix only checks whether NFT is escrowed. So exploiting an not send/not escrowed NFTs is not possible anymore. Nevertheless it is possible to steal an escrowed, from another custom ICS721 contract with a fake class id. The solution is: when receiving a back transfer dest channel must be checked against (outgoing) channel, at the time, when NFT was transferred to specific channel. This way it guarantees that during receival, nft module only accepts back transfer when source channel is the same, as the outgoing channel where it has previously been send to. See my comment here:

bianjieai/nft-transfer#12 (comment)

See my custom contract and comment in #705

@taitruong
Copy link
Contributor Author

Also check our review on nft module is able to change token data - even though on origin chain the creator has ownership of this collection: #705 (comment)

Using nft module it allows user to change token data on transferring back to original collection.

@taitruong
Copy link
Contributor Author

Importance of Truth-of-Source by validating incoming classId provided in NonFungibleTokenPacketData against source port + source channel + token id: https://twitter.com/arkprotocol/status/1641756940962283520

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
award Claim award!
Projects
None yet
Development

No branches or pull requests

2 participants