There is no upper limit to the time-out on PFM packets
Description
In the OnRecvPacket()
function of the IBC middleware, there are checks to ensure that the time-out on the packet cannot be negative. However, there is not an upper limit set on the time-out.
Since there is no way to cancel a packet once it is sent, and because the maximum amount of retries possible is 255, it is possible for a packet to get stuck in a time-out for an extremely long time. The time-out uses a time.Duration
type, which is an int64
. The highest possible int64
is a very large number.
Impact
This issue requires an external issue to trigger, because time-outs do not occur normally. This can occur due to an external bug on a chain or due to external issues with relayers. Because of this, the likelihood is low. However, because a user can lose access to their funds for a long time, the severity is medium. This leads to a low impact.
Recommendations
Add a check that ensures the time-out does not exceed an upper bound.