Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛡️ Potential Reentrancy using Timeout Callbacks #635

Closed
ccamel opened this issue May 17, 2024 · 0 comments · Fixed by #664
Closed

🛡️ Potential Reentrancy using Timeout Callbacks #635

ccamel opened this issue May 17, 2024 · 0 comments · Fixed by #664
Assignees
@bdeneux
Labels
security audit Categorizes an issue or PR as relevant to Security Audit

Comments

@ccamel
Copy link
Member

ccamel commented May 17, 2024
edited
Loading

Note

Severity: Info
target: v7.1.0 - Commit: 3c854270b006db30aa3894da2cdba10cc31b8c5f
Ref: OKP4 Blockchain Audit Report v1.0 - 02-05-2024 - BlockApex

Description

Description During the course of the audit an advisory "ASA-2024-007: Potential Reentrancy using Timeout Callbacks in ibc-hooks" was published by ibc-go. According to which an attacker could potentially execute the same MsgTimeout inside the IBC hook for the OnTimeout callback before the packet commitment is deleted. On chains where ibc-hooks wraps ICS-20, this vulnerability may allow for the logic of the OnTimeout callback of the transfer application to be recursively executed, leading to a condition that may present the opportunity for the loss of funds from the escrow account or unexpected minting of tokens. The requirements for the issue are:

  • Chain is IBC-enabled and uses a vulnerable version of ibc-go
  • Chain is CosmWasm-enabled and allows code uploads for wasm contracts by anyone, or by authorized parties (to a lesser extent)
  • Chain utilizes the ibc-hooks middleware and wraps ICS-20 transfer application

We found okp4 to fullfil 2 configurations:

  1. Ibc-go version being used is v8.0
  2. Cosmwasm is enabled to upload contracts

Since ibc-hooks are not being used by okp4 yet hence the exploit can not be fully performed.

Recommandation

It is advised to update the ibc-go version , if in future cross chain funds transfering is enabled and ibc-hooks are used then in that case this bug shouldn't get activated.
@ccamel ccamel added the security audit Categorizes an issue or PR as relevant to Security Audit label May 17, 2024
@github-project-automation github-project-automation bot moved this to 📋 Backlog in 💻 Development May 17, 2024
@ccamel ccamel moved this from 📋 Backlog to 📆 To do in 💻 Development May 17, 2024
@bdeneux bdeneux self-assigned this May 30, 2024
@bdeneux bdeneux mentioned this issue May 30, 2024
Merged
@bdeneux bdeneux linked a pull request May 30, 2024 that will close this issue
⬆️ chore: bump ibc-go from v8.0.0 to v8.2.1 #664
Merged
@github-project-automation github-project-automation bot moved this from 📆 To do to ✅ Done in 💻 Development Jun 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bdeneux bdeneux

Labels
security audit Categorizes an issue or PR as relevant to Security Audit
Projects
💻 Development
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

⬆️ chore: bump ibc-go from v8.0.0 to v8.2.1 axone-protocol/axoned
2 participants
@ccamel @bdeneux