Category: Coding Mistakes
Proposal vote extensions' byte limit
Medium Severity
Medium Impact
Low Likelihood
Description
When adding vote extensions to the proposal, there are no checks ensuring that the added vote extensions do not push the proposal over the maximum proposal size allowed (the default is 10,000).
func (h *ProposalHandler) PrepareProposal() sdk.PrepareProposalHandler {
return func(ctx sdk.Context, req *abci.RequestPrepareProposal) (*abci.ResponsePrepareProposal, error) {
// 3. inject a "fake" tx into the proposal s.t. validators can decode, verify the checkpoint
injectedCkpt := &ckpttypes.MsgInjectedCheckpoint{
Ckpt: ckpt,
ExtendedCommitInfo: &req.LocalLastCommit,
}
injectedVoteExtTx, err := h.buildInjectedTxBytes(injectedCkpt)
if err != nil {
return nil, fmt.Errorf("failed to encode vote extensions into a special tx: %w", err)
}
proposalTxs = slices.Insert(proposalTxs, defaultInjectedTxIndex, [][]byte{injectedVoteExtTx}...)
return &abci.ResponsePrepareProposal{
Txs: proposalTxs,
}, nil
}
}
Impact
A proposer might have their proposal rejected and be slashed.
Recommendations
Adjust the logic to account for the extra bytes of the vote extensions.
Remediation
This issue has been acknowledged by Babylon Labs, and a fix was implemented in commit aa827f87↗.
This was remediated by the above recommendation.