Wrong address prefix for ethermint bech32 account leads to inability to authorize users #29
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
🤖_primary
AI based primary recommendation
sufficient quality report
This report is of sufficient quality
Lines of code
https://github.com/code-423n4/2024-05-canto/blob/d1d51b2293d4689f467b8b1c82bba84f8f7ea008/ethermint-main/app/app.go#L373
Vulnerability details
According to breaking changes:
cosmos/cosmos-sdk#9759
While this is added, Canto uses hardcoded default one from Cosmos SDK:
ethermint-main/app/app.go
github.com/cosmos/cosmos-sdk@v0.50.6/types/address.go
It is "cosmos", while ethermint overrides it to custom
ethm
inethermint-main/cmd/config/config.go
:Which is then used in
ethermintd
on startup:As a sidenote, tendermint docs mention that accounts have
eth
prefix. Similarly, Evmos, while successor to Tendermint, usesevmos
prefix according to the docs.This is problematic in case of messages, that translate Bech32 addresses to EVM compatible addresses, like usage of
msg.Sender
.Impact
Failing account validation during bech32 to EVM address conversion.
Proof of Concept
When converting the address from Bech32 to EVM, the following is called:
And inside,
GetBech32AccountAddrPrefix()
takes the prefix from address:Finally,
GetFromBech32()
decodes the address and verifies that the prefix passed is the same asconfig.bech32AddressPrefix
:So, while the bech32 prefix is hardcoded to
cosmos
inethermint-main/app/app.go
, here it's taken from the config and it has value ofethm
.Because of this all functions requiring authority may stop working. E.g. in
ethermint-main/x/evm/keeper/msg_server.go
:The same occurs with verifying msg.sender:
canto-main/x/erc20/keeper/msg_server.go
:Tools Used
Manual Review
Recommended Mitigation Steps
The best option seems to be using
cosmos/cosmos-sdk@v0.50.6/types/config.go#GetBech32AccountAddrPrefix()
and make sure thataccount_addr
config property is set. This way,sdk.AccAddressFromBech32()
will not error out, because there won't be an address mismatch.Exemplary fix diff:
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: