You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Within the CosmWasm keeper the function that sends coins using the bank module performs some of the validation that should be within the bank keeper but not all. Currently the blockedaddresses are checked but not the send_enabled coins. This allows a smart contract to bypass restrictions that prevent account holders from transfering coins
The CosmWasm project should either implement all of the checks the bankmodule does on the send method or optionally switch from the direct unprotected keeper call to using the Send method which implements these checks
The text was updated successfully, but these errors were encountered:
Summary
Within the CosmWasm keeper the function that sends coins using the bank module performs some of the validation that should be within the bank keeper but not all. Currently the blockedaddresses are checked but not the send_enabled coins. This allows a smart contract to bypass restrictions that prevent account holders from transfering coins
wasmd/x/wasm/internal/keeper/keeper.go
Line 333 in d0befd9
The bank module only performs the send disabled checks on the msg_server send method.
https://github.com/cosmos/cosmos-sdk/blob/73e38e4009a57951b72e2998b4e3d5db2d499d04/x/bank/keeper/msg_server.go#L29
Proposed Fix
The CosmWasm project should either implement all of the checks the bankmodule does on the send method or optionally switch from the direct unprotected keeper call to using the Send method which implements these checks
The text was updated successfully, but these errors were encountered: