Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Initia>High findings>Malicious proposer can skip fee check
GeneralOverview
Findings
Critical (3)
High (12)Missing gas charge on memo in native_nft_transferNext zapping ID potentially duplicatedPublished module names do not necessarily match binary moduleStablepools can be created with one or no assetsStablepool swap can be called, repeating the same assetFrozen module coin store can cause chain haltMalicious proposer can skip fee checkMove coins can be burned twiceQuery gas limit not enforced through bank moduleIncorrect signer check for shorthand accountsValidator set updates can skip current validatorsWithdrawal hash clash using variable-length fields
Medium (4)
Low (9)
Informational (3)
DiscussionGeneral DiscussionImprove AMM testsBridge executor minting powerCharge before using valuesEmpty allowed_publishers array allows every address to publishERC20Keeper with custom contractsSuggestions for additional security checksTable handle overflow leads to abort
Threat ModelWhat are threat models?stdlib
Audit ResultsSummary
AppendixProof of concept: Reference safety verifier bypass
Category: Coding Mistakes

Malicious proposer can skip fee check

High Severity
High Impact
Medium Likelihood

Description

When a transaction is submitted to the mempool, the MempoolFeeChecker is run to ensure that the correct fees have been paid to cover the gas:

func (fc MempoolFeeChecker) CheckTxFeeWithMinGasPrices(ctx sdk.Context, tx sdk.Tx) (sdk.Coins, int64, error) {
    feeTx, ok := tx.(sdk.FeeTx)
    if !ok {
        return nil, 0, errors.Wrap(sdkerrors.ErrTxDecode, "Tx must be a FeeTx")
    }

    feeCoins := feeTx.GetFee()
    gas := feeTx.GetGas()

    priority := int64(1)
    if ctx.IsCheckTx() {
        minGasPrices := ctx.MinGasPrices()
        feeValueInBaseUnit := math.ZeroInt()

The issue is that the check is only run on IsCheckTx, which means it is not run for transactions proposed in a block. A malicious proposer could include a transaction with an arbitrary amount of gas and no fees.

Impact

A malicious proposer could publish a Move module containing an endless loop, then when it is their turn to propose a block, include a transaction with 0x7fffffffffffffff gas and no fees that executes the function, essentially halting the chain with all the validators stuck in the loop.

In order for a validator to propose a block they must be bonded and have staked enough to have enough consensus power to be chosen as the proposer.

Recommendations

Consider always running the MempoolFeeChecker; otherwise, ensure that a malicious proposer can be slashed for halting the chain.

Remediation

Initia Labs provided the following response:

I think we can assume this is not that problematic in these two reason. The Cosmos-SDK have one guard (block_gas_limit) to prevent this case. We plan to set this to 200_000_000 for testnet, and then the tx spending higher than this will be ignored. Probably we can also make params tx_gas_limit to limit the gas consumption of each contract execution. A malicious proposer can not generate a block commonly due to voting power aspect, and if the malicious proposal could be an active proposer that means this proposer invested on INIT token.

Zellic © 2024Back to top ↑