Assessment reportsPublic findings
Back to Zellic site
Assessment reports>ZetaChain>Medium findings>Admin policy check will always fail
GeneralOverview
Findings
High (2)
Medium (1)Admin policy check will always fail
Informational (1)
DiscussionReview of changesMissing validation
Audit ResultsSummary
Category: Coding Mistakes

Admin policy check will always fail

Medium Severity
Medium Impact
Medium Likelihood

Description

The AddToOutTxTracker was changed from allowing bonded validators to call it to allowing an admin policy account or one of the current observers:

func (k msgServer) AddToOutTxTracker(goCtx context.Context, msg *types.MsgAddToOutTxTracker) (*types.MsgAddToOutTxTrackerResponse, error) {
	ctx := sdk.UnwrapSDKContext(goCtx)
	chain := k.zetaObserverKeeper.GetParams(ctx).GetChainFromChainID(msg.ChainId)
	if chain == nil {
		return nil, zetaObserverTypes.ErrSupportedChains
	}
	authorized := false
	if msg.Creator == k.zetaObserverKeeper.GetParams(ctx).GetAdminPolicyAccount
	(zetaObserverTypes.Policy_Type_out_tx_tracker) {
		authorized = true
	}
	ok, err := k.IsAuthorized(ctx, msg.Creator, chain)
	if err != nil {
		return nil, err
	}
	if ok {
		authorized = true
	}
	if !authorized {
		return nil, sdkerrors.Wrap(types.ErrNotAuthorized, fmt.Sprintf("Creator %s", msg.Creator))
	}

The issue is that the admin account is unlikely to be an observer, and so the check to IsAuthorized will return an error and the function will return.

Impact

The admin policy will not work as expected and will be unable to add to the out tracker.

Recommendations

The function should be refactored to allow for either the admin or the observers to access it instead of returning early if the caller is not an observer.

Remediation

This issue has been acknowledged by ZetaChain, and a fix was implemented in commit 8222734c.

Zellic © 2025Back to top ↑