fix: vesting account loophole

CHANGELOG.md

@@ -23,6 +23,10 @@
 * (IRISHub) [\#2852](https://github.com/irisnet/irishub/pull/2852) refactor: fix eip712 signature and inject ParseChainID method
 * (IRISMod) [irismod \#367](https://github.com/irisnet/irismod/pull/367) Fix rest uri conflict in mt module
 
+### Security
+
+* (IRISHub) [\#2865](https://github.com/irisnet/irishub/pull/2860) Disable the vesting account creation to prevent contract address front-running.
+
 ## 2.0.0
 
 ### State Machine Breaking

ante/handler_options.go

@@ -88,6 +88,7 @@ func newCosmosAnteHandler(options HandlerOptions) sdk.AnteHandler {
 		NewValidateServiceDecorator(),
 		ante.NewIncrementSequenceDecorator(options.AccountKeeper),
 		ibcante.NewRedundantRelayDecorator(options.IBCKeeper),
+		NewRejectVestingDecorator(),
 	)
 }
 

ante/vesting.go

@@ -0,0 +1,31 @@
+package ante
+
+import (
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
+
+	vestingtypes "github.com/cosmos/cosmos-sdk/x/auth/vesting/types"
+)
+
+// RejectVestingDecorator is responsible for rejecting the vesting msg
+type RejectVestingDecorator struct{}
+
+// NewRejectVestingDecorator returns an instance of ValidateVestingDecorator
+func NewRejectVestingDecorator() RejectVestingDecorator {
+	return RejectVestingDecorator{}
+}
+
+// AnteHandle checks the transaction
+func (vvd RejectVestingDecorator) AnteHandle(ctx sdk.Context,
+	tx sdk.Tx, simulate bool, next sdk.AnteHandler) (sdk.Context, error) {
+	for _, msg := range tx.GetMsgs() {
+		switch msg.(type) {
+		case *vestingtypes.MsgCreateVestingAccount,
+			*vestingtypes.MsgCreatePermanentLockedAccount,
+			*vestingtypes.MsgCreatePeriodicVestingAccount:
+			return ctx, sdkerrors.Wrap(sdkerrors.ErrInvalidRequest,
+				"currently doesn't support creating vesting account")
+		}
+	}
+	return next(ctx, tx, simulate)
+}