Full Report
The fee grant module in the Cosmos SDK is used for setting up a different account to pass for gas on your behalf. After an allowlisted amount was set for a given user, they were given a specific allowance. When using the fee grant module as a user, the amount of fees that a user had access to was never being updated. So, once you had the allowance, it was effectively infinite! This is wild that it got passed testing imo. From reading the code snippets, it appears that the original developer thought that the function Accept() was updating the value. It appears that it was only checking the value. So, the author of the PR had to add code to modify the allowance object to subtract funds from it.
Analysis Summary
# Vulnerability: Logic Error Leading to Infinite Fee Allowance in Cosmos SDK
## CVE Details
- **CVE ID**: CVE-2023-30613 (Associated with the reported Feegrant issue)
- **CVSS Score**: 7.5 (High)
- **CWE**: CWE-670: Always-Incorrect Control Flow Implementation / CWE-682: Incorrect Calculation
## Affected Systems
- **Products**: Cosmos SDK
- **Versions**:
- v0.45.x (prior to v0.45.16)
- v0.46.x (prior to v0.46.13)
- v0.47.x (prior to v0.47.2)
- **Configurations**: Chains utilizing the `x/feegrant` module with `AllowedMsgAllowance` and `BasicAllowance` configurations.
## Vulnerability Description
A logic flaw existed in the Cosmos SDK `x/feegrant` module where the state of a user's fee allowance was not correctly persisted after use. When a user performed a transaction using an `AllowedMsgAllowance`, the system would trigger the `Accept()` function. While this function would validate whether the transaction was within the allowed limit, it failed to propagate the updated (decremented) balance back to the parent allowance object.
Consequently, the deducted fees were never subtracted from the user's granted pool in the state machine, effectively granting the user an infinite gas allowance up to the maximum single-transaction limit defined in their grant.
## Exploitation
- **Status**: PoC available (Included in the PR as a regression test).
- **Complexity**: Low
- **Attack Vector**: Network (Any user with an existing feegrant can exploit this).
## Impact
- **Confidentiality**: None
- **Integrity**: Low (Unauthorized use of granter's funds for gas).
- **Availability**: Medium (Potential for a grantee to drain a granter's account via gas fees, potentially impacting the granter's ability to perform transactions).
## Remediation
### Patches
The fix was merged into the official Cosmos SDK repository and backported to stable release branches:
- **v0.45.16**
- **v0.46.13**
- **v0.47.2**
The fix ensures that the `Accept()` method properly updates the internal state of the allowance and that these changes are correctly saved to the store.
### Workarounds
- **Disable Feegrant**: If patching is not immediately possible, chain governance could potentially disable the `x/feegrant` module via a software upgrade or parameter change if applicable.
- **Revoke Grants**: Granters are advised to revoke any existing fee grants to untrusted users until the node software is updated.
## Detection
- **Indicators of compromise**: Monitor blockchain events for `MsgPayee` or `feegrant` usage where the cumulative fees paid by a grantee exceed the `spend_limit` originally defined in their `BasicAllowance`.
- **Detection methods**: Query the `x/feegrant` module state and compare it against historical transaction data to see if the `spend_limit` remained static despite active usage.
## References
- **Vendor Advisory**: [https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-9pxf-hr97-cg94](https://github.com/cosmos/cosmos-sdk/security/advisories/GHSA-9pxf-hr97-cg94)
- **Pull Request**: [https://github.com/cosmos/cosmos-sdk/pull/16097](https://github.com/cosmos/cosmos-sdk/pull/16097)
- **Shade Protocol Report**: Mentioned as the initial discoverer of the discrepancy.