GHSA-7q74-g774-7x3g: Interchain Security: The signers of ICS messages do not need to match the provider address
Context
ICS has the following four messages that enable validators on the provider chain to perform different actions:
- MsgOptIn– adds a validator to the consumer chain’s active set
- MsgOptOut– removes a validator from the consumer chain’s active set
- MsgAssignConsumerKey– changes the consensus key used for a validator’s operations on a consumer chain
- MsgSetConsumerCommissionRate– sets a validator’s consumer-specific commission rate
Normally, only the respective validators are allowed to perform these actions.
Issue
The upgrade to SDK 0.50, introduced a signer field to these messages. This field is used to authenticate the user sending the message to the system. However, there was no validation on the ICS side to check if the signer matches the provider address.
As a result, any user could opt-in, opt-out, change the commission rate, or change what public key a validator uses on a consumer chain.
For more context, check out the code:
References
Code Behaviors & Features
Detect and mitigate GHSA-7q74-g774-7x3g with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →