π‘οΈ Denial of Service (DOS) via Front-Running Leads to Law Stone Initialization Failure #550
Labels
security audit
Categorizes an issue or PR as relevant to Security Audit
Comments
ccamel
added
the
security audit
|
Agree with the analysis, however this case has already been fixed in a version post-audit: #528 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note
Severity: Critical
target: v5.0.0 - Commit: cde785fbd2dad71608d53f8524e0ef8c8f8178af
Ref: OKP4 CosmWasm Audit Report v1.0 - 02-05-2024 - BlockApex
Description
The instantiation process of the Law Stone contract is susceptible to a front-running vulnerability when interacting with the Objectarium contract for storing .pl files. This vulnerability stems from the public visibility of transaction data in the mempool, which allows attackers to intercept and replicate the initialization parameters. The core issue arises during the instantiate function's call to store_object in the Objectarium. If an attacker captures and submits the same data/program to the Objectarium ahead of the legitimate transaction, the Law Stone's initialization will fail, leading to repeated Denial of Service (DoS)
Impact
This vulnerability exposes the Law Stone contract to a persistent threat of initialization failure, which can be systematically exploited to prevent its deployment.
Recommendation
Ensure that the Objectarium is aware of the Law Stone's dependencies and enforces checks that the calling contract matches expected parameters.
Ref
contracts/okp4-law-stone/src/contract.rscontracts/okp4-objectarium/src/contract.rsThe text was updated successfully, but these errors were encountered: