Possible attack vector in multiple Msgs in a Tx #589

kimurayu45z · 2024-11-19T18:49:56Z

https://github.com/skip-mev/block-sdk/blob/v2.1.5/lanes/free/lane.go#L41

func DefaultMatchHandler() base.MatchHandler {
	return func(_ sdk.Context, tx sdk.Tx) bool {
		for _, msg := range tx.GetMsgs() {
			switch msg.(type) {
			case *types.MsgDelegate:
				return true
			case *types.MsgBeginRedelegate:
				return true
			case *types.MsgCancelUnbondingDelegation:
				return true
			}
		}

		return false
	}
}

This match handler of Free lane regards as matching when at least one of Msgs listed above is contained in the Tx.
In this case, by inserting very heavy Msg after MsgDelegate, can't we consider an attack vector?

To solve this problem, the match handler should be like this:

func DefaultMatchHandler() base.MatchHandler {
	return func(_ sdk.Context, tx sdk.Tx) bool {
		for _, msg := range tx.GetMsgs() {
			switch msg.(type) {
			case *types.MsgDelegate:
				continue
			case *types.MsgBeginRedelegate:
				continue
			case *types.MsgCancelUnbondingDelegation:
				continue
			}
                        return false
		}

		return true
	}
}

In this match handler, Free lane accept only Txs which all Msgs are white listed (not at least one of).

If this issue get agreed, I will create a Pull Request.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Possible attack vector in multiple Msgs in a Tx #589

Possible attack vector in multiple Msgs in a Tx #589

kimurayu45z commented Nov 19, 2024

Possible attack vector in multiple Msgs in a Tx #589

Possible attack vector in multiple Msgs in a Tx #589

Comments

kimurayu45z commented Nov 19, 2024