🛡️ Denial of Service (DOS) via Front-Running Leads to Law Stone Initialization Failure

[ccamel]

Note

Severity: Critical
target: v5.0.0 - Commit: cde785fbd2dad71608d53f8524e0ef8c8f8178af
Ref: OKP4 CosmWasm Audit Report v1.0 - 02-05-2024 - BlockApex

Description

The instantiation process of the Law Stone contract is susceptible to a front-running vulnerability when interacting with the Objectarium contract for storing .pl files. This vulnerability stems from the public visibility of transaction data in the mempool, which allows attackers to intercept and replicate the initialization parameters. The core issue arises during the instantiate function's call to store_object in the Objectarium. If an attacker captures and submits the same data/program to the Objectarium ahead of the legitimate transaction, the Law Stone's initialization will fail, leading to repeated Denial of Service (DoS)

Impact

This vulnerability exposes the Law Stone contract to a persistent threat of initialization failure, which can be systematically exploited to prevent its deployment.

Recommendation

Ensure that the Objectarium is aware of the Law Stone's dependencies and enforces checks that the calling contract matches expected parameters.

Ref

• contracts/okp4-law-stone/src/contract.rs
• contracts/okp4-objectarium/src/contract.rs

[amimart]

Agree with the analysis, however this case has already been fixed in a version post-audit: #528