-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AddToInTxTracker doens't allow permissionless tx validation for Bitcoin chain, InTxTracker permissionless tx validation for Bitcoin chain will always fail #563
Comments
According to the README:
|
DadeKuma marked the issue as insufficient quality report |
0xean marked the issue as unsatisfactory: |
Hey @0xean, I don't get why this is invalid.
Note that this issue concerns only (2)This report argues that a) //x/crosschain/keeper/msg_server_add_to_intx_tracker.go
func (k msgServer) AddToInTxTracker(goCtx context.Context, msg *types.MsgAddToInTxTracker) (*types.MsgAddToInTxTrackerResponse, error) {
...
if common.IsEVMChain(msg.ChainId) {
err = k.VerifyEVMInTxBody(ctx, msg, txBytes)
...
} else {
//@audit when ChainId is bitCoin chain, this will return an error
|> return nil, types.ErrTxBodyVerificationFail.Wrapf(fmt.Sprintf("cannot verify inTx body for chain %d", msg.ChainId))
} b) //x/crosschain/keeper/msg_server_add_to_outtx_tracker.go
func (k msgServer) AddToOutTxTracker(goCtx context.Context, msg *types.MsgAddToOutTxTracker) (*types.MsgAddToOutTxTrackerResponse, error) {
...
chain := k.zetaObserverKeeper.GetParams(ctx).GetChainFromChainID(msg.ChainId)
...
if msg.Proof != nil { // verify proof when it is provided
...
|> err = k.VerifyOutTxBody(ctx, msg, txBytes)
if err != nil {
return nil, types.ErrTxBodyVerificationFail.Wrapf(err.Error())
}
isProven = true
...
}
func (k Keeper) VerifyOutTxBody(ctx sdk.Context, msg *types.MsgAddToOutTxTracker, txBytes []byte) error {
...
// verify message against transaction body
if common.IsEVMChain(msg.ChainId) {
err = VerifyEVMOutTxBody(msg, txBytes, tss.Eth)
//@audit-info note: this supports both chains
|> } else if common.IsBitcoinChain(msg.ChainId) {
err = VerifyBTCOutTxBody(msg, txBytes, tss.Btc)
} else {
return fmt.Errorf("cannot verify outTx body for chain %d", msg.ChainId)
}
...
} |
@flowercrimson - thanks for raising this (again). I agree its not handled correctly for BTC on the input flow AND it does state that it should in the contest docs. There is of course a work around (using the permissioned flow). That being said since the sponsor call out this new flow as being important, I think it probably warrants M. Lets get @lumtis to provide an opinion here on severity before we finalize it all. |
0xean marked the issue as satisfactory |
Yes, Bitcoin should be added here. |
lumtis (sponsor) confirmed |
thanks all, M it is. |
0xean marked the issue as selected for report |
Lines of code
https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/node/x/crosschain/keeper/msg_server_add_to_intx_tracker.go#L38-L39
Vulnerability details
Impact
Permissionless tx validation for EVM and Bitcoin chain should be supported based on contest doc
→ The system is currently implemented for Ethereum/BSC and Bitcoin
. However, currently permissionless tx validation for EVM and Bitcoin chain are only supported inAddToOutTxTracker
, but not supported inAddToInTxTracker
. Permissionless validation for InTx for bitcoin chain will always fail.Proof of Concept
In
AddToInTxTracker()
from msg_server_add_to_intx_tracker.go, chain is incorrectly diverted. The bitcoin chain is missing and will return an error.(https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/node/x/crosschain/keeper/msg_server_add_to_intx_tracker.go#L38-L39)
Notice in
AddToOutTxTracker()
, bitcoin chain is correctly diverted withelse if common.IsBitcoinChain(msg.ChainId)
statement.Tools Used
Manual review
Recommended Mitigation Steps
In
AddToInTxTracker()
, addIsBitcoinChain(msg.ChainId)
to correctly handle when chainId is bitcoin chain.Assessed type
Error
The text was updated successfully, but these errors were encountered: