NULL Pointer Dereference in handleMsgLockCoin()

[Jdkhnjggf]

Describe The Bug

The lock of an unregistered coin leads to a null pointer dereference of the asset handler located at /x/asset/handler.go. Specifically, the handleMsgLockCoin() routine is designed to handle the MsgLockCoin message in order to lock a coin. However, the checks on the input message are not thorough. As a result, a malicious MsgLockCoin message can be crafted to contain an unregistered coin and its execution could lead to a null pointer dereference of the running processes. In the following, we show the related code snippet.

Code Snippets (Optional)

165	// handleMsgLockCoin Handle Msg lock coin
166	func handleMsgLockCoin(ctx chainTypes.Context, k keeper.AssetCoinsKeeper, msg *types.MsgLockCoin) (*sdk.Result, error) {
	    ... ...
181	    for _, c := range msgData.Amount {
182	        creator, symbol, err := chainTypes.CoinAccountsFromDenom(c.Denom)
183		if err != nil {
184		    return nil, sdkerrors.Wrapf(err, "get creator and symbol from coin %s", msg.Amount.String())
185		}
186
187		stat, err := k.GetCoinStat(ctx.Context(), creator, symbol)
188		if err != nil {
189		    return nil, sdkerrors.Wrapf(err, "get coin stat from coin %s", msg.Amount.String())
190		}
191
192		if !stat.CanLock {
193		    return nil, sdkerrors.Wrapf(types.ErrAssetCoinCannotBeLock, "coin %s cannot be locked", msg.Amount.String())
194		}
195	    }

Input/Output

1. Craft a MsgLockCoin: '{"id": "kratos", "amount": "1kratos/kvs", "height": "111"}'
2. Output: '{"panic": "runtime error: invalid memory address or nil pointer dereference"}'

To Reproduce
Steps to reproduce the behavior:

1. sudo ./scripts/boot-testnet.sh
2. sudo ./build/ktscli tx asset lock kratos 111 1kratos/kvs --keyring-backend test --chain-id testing --home /testing/cli/ --from kratos

Expected Behavior

Returns an error "coin stat is nil".

Screenshots

Desktop (please complete the following information):

• OS: [macOS High Sierra 10.13.6]

Additional Context (Optional)

None

Contact Information

Email - ryzhang@peckshield.cn

[aquarius-kuchain]

ref #7

[Pisces-Anjou]

Hi,

Thanks for your submission with such detail information!

We have tested the issue you mentioned and did reproduce it.

Note that issue #7 and issue #8 were caused by the same reason, where function GetCoinStat() didn't return an error message as expect when query token is not existed, which resulted in an exception thrown by the subsequent handing process. This is our negligence. Thanks for your reminder.

We count the two reports(#7 and #8) as one since they were caused by the same reason. What's more, we believe the impact that might be delivered by the issue you mentioned is rather limited, it will not affect the normal operation of the chain, and it is not in the scope from P1 to P4. After evaluation, we consider it is not a valid vulnerability but it does a good improve suggestion.

Thanks for your attention and contribution! Please keep trying and help us improve our chain.

Regards

KuChain Team

[Jdkhnjggf]

Hi,

issue #7 and issue #8 do count as the same issue, and yes, the panic will be recovered from recover().

But I think they fit your description of P4 as "Denial of service of non-critical functions", right?

[Pisces-Anjou]

Hi,

We have received your appeal. Our jury will evaluate it again. We will inform you with the final result.

Thanks for your attention and contribution! Please keep trying and help us improve our chain.

Regards

KuChain Team

[Pisces-Anjou]

Hi,

After evaluation by the jury, your vulnerability has been graded as P4.
Congratulations! Please pay attention to the announcement to get your rewards.
Thanks for your attention and contribution! Please keep trying and help us improve our chain.

Regards
KuChain Team