Merge pull request #2865 from irisnet/yuandu/fix-vesting-loophole

fix: vesting account loophole
irisnet · Sep 13, 2023 · 419abb5 · 419abb5
2 parents 1a98a50 + 08455d5
commit 419abb5
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -23,6 +23,10 @@
 * (IRISHub) [\#2852](https://github.com/irisnet/irishub/pull/2852) refactor: fix eip712 signature and inject ParseChainID method
 * (IRISMod) [irismod \#367](https://github.com/irisnet/irismod/pull/367) Fix rest uri conflict in mt module
 
+### Security
+
+* (IRISHub) [\#2865](https://github.com/irisnet/irishub/pull/2865) Disable the vesting account creation to prevent contract address front-running.
+
 ## 2.0.0
 
 ### State Machine Breaking

diff --git a/ante/handler_options.go b/ante/handler_options.go
@@ -64,6 +64,7 @@ func newEthAnteHandler(options HandlerOptions) sdk.AnteHandler {
 func newCosmosAnteHandler(options HandlerOptions) sdk.AnteHandler {
 	return sdk.ChainAnteDecorators(
 		RejectMessagesDecorator{},
+		NewRejectVestingDecorator(),
 		ante.NewSetUpContextDecorator(), // outermost AnteDecorator. SetUpContext must be called first
 		ante.NewExtensionOptionsDecorator(options.ExtensionOptionChecker),
 		ante.NewValidateBasicDecorator(),

diff --git a/ante/vesting.go b/ante/vesting.go
@@ -0,0 +1,31 @@
+package ante
+
+import (
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
+
+	vestingtypes "github.com/cosmos/cosmos-sdk/x/auth/vesting/types"
+)
+
+// RejectVestingDecorator is responsible for rejecting the vesting msg
+type RejectVestingDecorator struct{}
+
+// NewRejectVestingDecorator returns an instance of ValidateVestingDecorator
+func NewRejectVestingDecorator() RejectVestingDecorator {
+	return RejectVestingDecorator{}
+}
+
+// AnteHandle checks the transaction
+func (vvd RejectVestingDecorator) AnteHandle(ctx sdk.Context,
+	tx sdk.Tx, simulate bool, next sdk.AnteHandler) (sdk.Context, error) {
+	for _, msg := range tx.GetMsgs() {
+		switch msg.(type) {
+		case *vestingtypes.MsgCreateVestingAccount,
+			*vestingtypes.MsgCreatePermanentLockedAccount,
+			*vestingtypes.MsgCreatePeriodicVestingAccount:
+			return ctx, sdkerrors.Wrap(sdkerrors.ErrInvalidRequest,
+				"currently doesn't support creating vesting account")
+		}
+	}
+	return next(ctx, tx, simulate)
+}