Platform: Code4rena
Start Date: 03/05/2022
Pot Size: $75,000 USDC
Total HM: 6
Participants: 55
Period: 7 days
Judge: Albert Chon
Total Solo HM: 2
Id: 116
League: COSMOS
Rank: 13/55
Findings: 3
Award: $1,237.09
🌟 Selected for report: 0
🚀 Solo Findings: 0
https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L659-L669 https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L276
In the constructor, it is checked that the cumulative power is greater than the threshold:
uint256 cumulativePower = 0; for (uint256 i = 0; i < _powers.length; i++) { cumulativePower = cumulativePower + _powers[i]; if (cumulativePower > _powerThreshold) { break; } } require( cumulativePower > _powerThreshold, "Submitted validator set signatures do not have enough power." );
However, updateValset doesn't have this check.
therefore it's possible to change the contract state such that the submitted validator set signatures do not have enough power
add this check to updateValset
#0 - V-Staykov
2022-05-11T11:10:14Z
Duplicate of #123
🌟 Selected for report: p_crypt0
Also found by: 0x1337, GermanKuber, IllIllI, WatchPug, csanuragjain, danb, dirk_y, kirk-baird
https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L632
the admin can steal all the money.
#0 - mlukanova
2022-05-10T14:32:54Z
Duplicate of #14
🌟 Selected for report: IllIllI
Also found by: 0x1337, 0x1f8b, 0xDjango, 0xkatana, AmitN, CertoraInc, Dravee, Funen, GermanKuber, GimelSec, Hawkeye, JC, MaratCerby, WatchPug, Waze, broccolirob, cccz, ch13fd357r0y3r, cryptphi, danb, defsec, delfin454000, dipp, dirk_y, ellahi, gzeon, hake, hubble, ilan, jah, jayjonah8, kebabsec, kirk-baird, m9800, orion, oyc_109, robee, shenwilly, simon135, sorrynotsorry
114.279 USDC - $114.28
https://github.com/code-423n4/2022-05-cudos/blob/main/solidity/contracts/Gravity.sol#L659
In the constructor, cumulativePower can overflow.
If the powers sum overflows, it will make the contract malfunction, because the cumulativePower in checkValidatorSignatures may overflow, and then it's possible that more votes in favor, will make the proposal fail.
let's assume the powers sum overflow.
the are two validators.
In a proposal, in checkValidatorSignatures, the first validator's power is MAX_UINT, therefore the proposal should pass, but the second validator power is 1, and when it's added to it, it becomes 0, and the proposal fails.
use safe math of openzeppelin at line 661
#0 - V-Staykov
2022-05-11T07:42:45Z
This is technically an issue, but it is done without safe math on purpose, because the comulative power of all the validators is calculated proportionally and made sure on the cosmos module side that it will never overflow. That said, if the contract is looked on as a standalone contract, this is an issue, but when looked at as part of the whole solution and working with the Gravity module, this should not be a problem.
Here is a comment explaining how and why the normalization is done - https://github.com/code-423n4/2022-05-cudos/blob/main/module/x/gravity/keeper/keeper_valset.go#L206
And here is the actual code of the normalization - https://github.com/code-423n4/2022-05-cudos/blob/main/module/x/gravity/keeper/keeper_valset.go#L265
#1 - albertchon
2022-05-18T22:21:28Z
Agreed
#2 - JeeberC4
2022-05-19T18:31:46Z
Creating warden's QA Report as judge downgraded issue. Preserving original title: powers sum can overflow