Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Osmosis Authentication Abstraction>Discussion>Signature authenticator excessive gas
GeneralOverview
Findings
Critical (2)
High (2)
Medium (2)
Low (3)
Informational (1)
DiscussionSignature authenticator excessive gas
Threat ModelWhat are threat models?authenticatorauthz
Audit ResultsSummary
AppendixAppendixPOC signature authenticator authentication bypassPOC for bypass fee payer authentication

Excessive gas might be charged by the signature authenticator

The SignatureVerificationAuthenticator charges gas for authenticating every signer present in a message:

func (sva SignatureVerificationAuthenticator) Authenticate(ctx sdk.Context, account sdk.AccAddress, msg sdk.Msg, authenticationData iface.AuthenticatorData) iface.AuthenticationResult {
    [...]
	params := sva.ak.GetParams(ctx)
	for _, sig := range verificationData.Signatures {
		err := authante.DefaultSigVerificationGasConsumer(ctx.GasMeter(), sig, params)
		if err != nil {
			return iface.Rejected("couldn't get gas consumer", err)
		}
	}

This means that if multiple messages are present in a transaction, then the signature is checked each time for every message. The gas has to be paid each time the signature is validated. However, this is different to the original signature verification as it only validates a signer for the transaction once.

This could be avoided by adding caching during the transaction execution, which stores the signers that have already been validated. These signers do not have to be verified again, and therefore gas would not be charged multiple times.

Zellic © 2025Back to top ↑