-
Notifications
You must be signed in to change notification settings - Fork 14
Description
Describe The Bug
The issuance of an unregistered coin leads to a null pointer dereference of the asset handler located at /x/asset/handler.go
. Specifically, the handleMsgIssue()
routine is designed to handle the MsgIssueCoin
message in order to issue a coin. However, the checks on the input message are not thorough. As a result, a malicious MsgIssueCoin
message can be crafted to contain an unregistered coin and its execution could lead to a null pointer dereference of the running processes. In the following, we show the related code snippet.
Code Snippets (Optional)
89 // handleMsgIssue Handle Msg Issue coin
90 func handleMsgIssue(ctx chainTypes.Context, k keeper.AssetCoinsKeeper, msg *types.MsgIssueCoin) (*sdk.Result, error) {
... ...
105 stat, err := k.GetCoinStat(ctx.Context(), msgData.Creator, msgData.Symbol)
106 if err != nil {
107 return nil, sdkerrors.Wrapf(err, "get coin stat from coin %s", msg.Amount.String())
108 }
109
110 // if coins cannot be issue, if there is 1000 blocks after coin created, no one can issue
111 if !stat.CanIssue && (ctx.BlockHeight() > (stat.CreateHeight + 5)) { // FIXME: for test
112 return nil, sdkerrors.Wrapf(types.ErrAssetCoinCannotBeLock, "coin %s cannot be issue after 1000 block from coin create", msg.Amount.String())
113 }
Input/Output
- Craft a MsgIssueCoin: '{"creator": "kratos", "symbol": "kvs", "amount": "1kratos/kvs"}'
- Output: '{"panic": "runtime error: invalid memory address or nil pointer dereference"}'
To Reproduce
Steps to reproduce the behavior:
- sudo ./scripts/boot-testnet.sh
- sudo ./build/ktscli tx asset issue kratos kvs 1kratos/kvs --keyring-backend test --chain-id testing --home /testing/cli/ --from kratos
Expected Behavior
Returns an error "coin stat is nil".
Screenshots
Desktop (please complete the following information):
- OS: [macOS High Sierra 10.13.6]
Additional Context (Optional)
None
Contact Information
Email - [email protected]