New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address SIGN_MODE_LEGACY_AMINO_JSON security issues #6863

Closed

2 tasks done

aaronc opened this issue Jul 27, 2020 · 0 comments · Fixed by #6883

Closed

2 tasks done

Address SIGN_MODE_LEGACY_AMINO_JSON security issues #6863

aaronc opened this issue Jul 27, 2020 · 0 comments · Fixed by #6883

Milestone

v0.40 [Stargate]

Member

aaronc commented Jul 27, 2020 •

edited

Loading

SIGN_MODE_DIRECT addresses malleability by signing raw bytes. Amino JSON signing requires extra care to deal with malleability.

In order to prevent exploits, we need to:

reject all unknown protobuf fields (Protobuf unknown field rejection #6192), non-critical fields cannot be enabled with amino JSON signing
make sure that all new fields on TxBody either have a direct counterpart in StdTx or cause transactions to fail and make sure that SIGN_MODE_LEGACY_AMINO_JSON handles this properly

If the above are not done, a malicious attacker can either add:

random unknown, non-critical fields to protobuf tx's bloating transactions, or
set fields on TxBody that weren't present in the amino JSON SignDoc

The text was updated successfully, but these errors were encountered:

aaronc added this to the v0.40 [Stargate] milestone

This was referenced Jul 29, 2020

Tx Height Timeout #6089

Merged

Reject unknown fields in TxDecoder and sign mode handlers #6883

Merged

mergify bot closed this as completed in #6883

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment