GHSA-7q74-g774-7x3g: Interchain Security: The signers of ICS messages do not need to match the provider address

Context

ICS has the following four messages that enable validators on the provider chain to perform different actions:

• MsgOptIn – adds a validator to the consumer chain’s active set
• MsgOptOut – removes a validator from the consumer chain’s active set
• MsgAssignConsumerKey – changes the consensus key used for a validator’s operations on a consumer chain
• MsgSetConsumerCommissionRate – sets a validator’s consumer-specific commission rate

Normally, only the respective validators are allowed to perform these actions.

Issue

The upgrade to SDK 0.50, introduced a signer field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address.

As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain.

For more context, check out the code: