Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

πŸ›‘οΈ Lack of Storage Address Validation in Law-Stone Instantiation #557

Closed
ccamel opened this issue May 23, 2024 · 5 comments
Closed

πŸ›‘οΈ Lack of Storage Address Validation in Law-Stone Instantiation #557

ccamel opened this issue May 23, 2024 · 5 comments
Labels
security audit Categorizes an issue or PR as relevant to Security Audit

Comments

@ccamel
Copy link
Member

ccamel commented May 23, 2024

Note

Severity: Low
target: v5.0.0 - Commit: cde785fbd2dad71608d53f8524e0ef8c8f8178af
Ref: OKP4 CosmWasm Audit Report v1.0 - 02-05-2024 - BlockApex

Description

The instantiation process of the law-Stone does not include validation for the storage_address provided in the InstantiateMsg.This will result in a transaction failure.

Recommendation

Implement proper validation checks in the instantiate function to ensure the storage_address is well-formed and authorized for the intended operational context.
@ccamel ccamel added the security audit Categorizes an issue or PR as relevant to Security Audit label May 23, 2024
@github-project-automation github-project-automation bot moved this to πŸ“‹ Backlog in πŸ’» Development May 23, 2024
@ccamel ccamel moved this from πŸ“‹ Backlog to πŸ“† To do in πŸ’» Development May 23, 2024
@amimart
Copy link
Member

amimart commented Jun 13, 2024

I don't see any benefits in adding validation on the provided storage address, it would still end up in a transaction failure, and with the downside of causing more cost..

I'm in favour of closing this one, let me know what you think @ccamel @bdeneux

@bdeneux
Copy link
Contributor

bdeneux commented Jun 13, 2024

@amimart Absolutely, the verification is indeed indirectly handled when the instantiate function attempts to store the object. Therefore, an additional check might not be necessary.

Otherwise, regarding the storage_address in msg.rs, it is currently defined as a String. It could be beneficial to change its type to Addr to leverage the built-in validation provided by the JSON serde (I think it's possible).

@ccamel
Copy link
Member Author

ccamel commented Jun 14, 2024

@bdeneux From what I see from: https://docs.rs/cosmwasm-std/latest/cosmwasm_std/struct.Addr.html

Addr must not be used in messages sent by the user because this would result in unvalidated instances.

@ccamel
Copy link
Member Author

ccamel commented Jun 14, 2024

I would also be in favour of closing this one for all the reasons already mentioned.

@amimart
Copy link
Member

amimart commented Jun 14, 2024

If we all agree, let's close this one :)

@amimart amimart closed this as completed Jun 14, 2024
@github-project-automation github-project-automation bot moved this from πŸ“† To do to βœ… Done in πŸ’» Development Jun 14, 2024
@ccamel ccamel moved this from βœ… Done to πŸ™… Declined in πŸ’» Development Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security audit Categorizes an issue or PR as relevant to Security Audit
Projects
πŸ’» Development
Status: πŸ™… Declined
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ccamel @amimart @bdeneux