You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"failed to transfer %s from address %s using the EVM block context transfer function",
msg.Value(),
msg.From(),
)
}
which presumes that the cost of a message will always be either 0 or positive. That's all gucci to think about, but what happens if for example a message with an actual negative value is passed in? That check will not reject it and later on it'll be propagated across the stack because it passed the "CanTransfer" check and later on when calculating gas costs and deducting balances, we could even end up with increasing the account balance :-( (this could possibly even be a security vulnerability)
Remedy
Please firstly check that the amount is negative and if so, reject it with a direct error, then also please add a regression test to the code
+if msg.Value() == nil || msg.Value().Sign() == -1 {+ return errors.New("message.Value must be positive")+}
Is there an existing issue for this?
What happened?
While auditing this code I noticed this pattern
evmos/app/ante/evm/07_can_transfer.go
Lines 49 to 56 in ad1e289
which presumes that the cost of a message will always be either 0 or positive. That's all gucci to think about, but what happens if for example a message with an actual negative value is passed in? That check will not reject it and later on it'll be propagated across the stack because it passed the "CanTransfer" check and later on when calculating gas costs and deducting balances, we could even end up with increasing the account balance :-( (this could possibly even be a security vulnerability)
Remedy
Please firstly check that the amount is negative and if so, reject it with a direct error, then also please add a regression test to the code
/cc @fedekunze
Evmos Version
main
How to reproduce?
Please read the bug report above
The text was updated successfully, but these errors were encountered: