Back to jmak's contests

Gravity Bridge contest - jmak's results

An open and decentralized Eth–Cosmos bridge.

General Information

Platform: Code4rena

Start Date: 26/08/2021

Pot Size: $100,000 USDC

Total HM: 8

Participants: 13

Period: 14 days

Judge: Albert Chon

Total Solo HM: 7

Id: 27

League: COSMOS

Althea

Findings Distribution

Researcher Performance

Rank: 2/13

Findings: 1

Award: $15,658.74

🌟 Selected for report: 1

🚀 Solo Findings: 1

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryAlthea

Findings Information

🌟 Selected for report: jmak

Labels

bug
3 (High Risk)
sponsor confirmed

Awards

15658.7384 USDC - $15,658.74

External Links

Link to GitHub issue

Handle

jmak

Vulnerability details

Impact

Detailed description of the impact of this finding.
The SubmitBadSignatureEvidence is not actually registered in the handler and hence no one can actually submit this message, rendering the message useless. This harms the security model of Gravity since validators have no disincentive to attempt to collude and take over the bridge.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept. The SubmitBadSignatureEvidence handler is omitted from module/x/gravity/handler.go

Tools Used

Visual inspection

Handle the MsgSubmitBadSignatureEvidence in module/x/gravity/handler.go.

#0 - jkilpatr

2021-09-10T12:59:18Z

This was resolved here

https://github.com/althea-net/cosmos-gravity-bridge/commit/ad6bd78d4c968c3eef5a8ab7a38b42cd3269d186

This is a valid bug considering this fix is not included in the code hash up for review.

#1 - loudoguno

2021-10-01T03:44:55Z

reopening as per judges assessment as "primary issue" on findings sheet

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter