Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>High findings>Missing gas charge on ,memo, in ,native_nft_transfer
GeneralOverview
Findings
Critical (3)
High (12)Missing gas charge on memo in native_nft_transferNext zapping ID potentially duplicatedPublished module names do not necessarily match binary moduleStablepools can be created with one or no assetsStablepool swap can be called, repeating the same assetFrozen module coin store can cause chain haltMalicious proposer can skip fee checkMove coins can be burned twiceQuery gas limit not enforced through bank moduleIncorrect signer check for shorthand accountsValidator set updates can skip current validatorsWithdrawal hash clash using variable-length fields
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?stdlib
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass
Category: Coding Mistakes

Missing gas charge on memo in native_nft_transfer

High Severity
High Impact
High Likelihood

Description

The native implementation native_nft_transfer function in cosmos.rs does not charge gas for the memo argument.

Impact

In a DOS attack, an attacker can create a transaction with a large memo field and spam the network with transactions that do not pay the full, appropriate gas fees.

Recommendations

Add the following line to the native_nft_transfer function in cosmos.rs:

fn native_nft_transfer(
    context: &mut SafeNativeContext,
    ty_args: Vec<Type>,
    mut arguments: VecDeque<Value>,
) -> SafeNativeResult<SmallVec<[Value; 1]>> {
    let gas_params = &context.native_gas_params.initia_stdlib.cosmos.nft_transfer;
    context.charge(gas_params.base)?;

    debug_assert!(ty_args.is_empty());
    debug_assert!(arguments.len() == 10);

    let memo = safely_pop_arg!(arguments, Vector).to_vec_u8()?;
+    context.charge(gas_params.per_byte * NumBytes::new(memo.len() as u64))?;
    let timeout_timestamp = safely_pop_arg!(arguments, u64);
    let revision_height = safely_pop_arg!(arguments, u64);
    let revision_number = safely_pop_arg!(arguments, u64);
    let source_channel = safely_pop_arg!(arguments, Vector).to_vec_u8()?;
    context.charge(gas_params.per_byte * NumBytes::new(source_channel.len() as u64))?;

    // [...]
}

Remediation

Zellic © 2024Back to top ↑