Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

R4R: Fix token printing bug #3207

Merged
merged 3 commits into from Jan 2, 2019

Conversation

Projects
None yet
4 participants
@cwgoes
Copy link
Contributor

commented Jan 2, 2019

Quoth @ValarDragon:

This stems from a buggy coins.IsValid function. In the IsValid function, https://github.com/cosmos/cosmos-sdk/blob/develop/types/coin.go#L140, it just checks if the coins object is sorted and only has coins with postive value. However when there are multiple tokens, (the default case in the switch statement), the first denom doesn't get its coins value checked for being positive. This means the first denom can be negative or zero. (Recall that its a signed big int >_>, I really wish the uint war would end with everyone being convinced of uints)

This PR adds in desired checks in coins.IsValid() and adds a testcase for a negative first-denom coin.

  • Wrote tests
  • Updated relevant documentation (docs/)
  • Added entries in PENDING.md with issue #
  • rereviewed Files changed in the github PR explorer

For Admin Use:

  • Added appropriate labels to PR (ex. wip, ready-for-review, docs)
  • Reviewers Assigned
  • Squashed all commits, uses message "Merge pull request #XYZ: [title]" (coding standards)

@cwgoes cwgoes requested a review from ValarDragon Jan 2, 2019

@cwgoes cwgoes requested review from ebuchman and rigelrozanski as code owners Jan 2, 2019

cwgoes added some commits Jan 2, 2019

@codecov

This comment has been minimized.

Copy link

commented Jan 2, 2019

Codecov Report

Merging #3207 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #3207   +/-   ##
========================================
  Coverage    54.83%   54.83%           
========================================
  Files          133      133           
  Lines         9559     9559           
========================================
  Hits          5242     5242           
  Misses        3996     3996           
  Partials       321      321
@alexanderbez
Copy link
Contributor

left a comment

LGTM 👍

@ValarDragon

This comment has been minimized.

Copy link
Member

commented Jan 2, 2019

Another thing we should do to mitigate this is make bank.SendCoins ensure all inputs are positive, and that sum_inputs = sum_outputs. We currently only do this on the msg.ValidateBasic, but in order for the keeper to ensure the supply invariant, it must be checked on Keeper.SendCoins as well. (This is another bug contributing to this problem)

@jackzampolin
Copy link
Contributor

left a comment

Awesome @cwgoes

@cwgoes cwgoes merged commit 5ca8c5b into develop Jan 2, 2019

13 checks passed

ci/circleci: integration_tests Your tests passed on CircleCI!
Details
ci/circleci: lint Your tests passed on CircleCI!
Details
ci/circleci: localnet Your tests passed on CircleCI!
Details
ci/circleci: setup_dependencies Your tests passed on CircleCI!
Details
ci/circleci: test_cover Your tests passed on CircleCI!
Details
ci/circleci: test_sim_gaia_fast Your tests passed on CircleCI!
Details
ci/circleci: test_sim_gaia_import_export Your tests passed on CircleCI!
Details
ci/circleci: test_sim_gaia_multi_seed Your tests passed on CircleCI!
Details
ci/circleci: test_sim_gaia_nondeterminism Your tests passed on CircleCI!
Details
ci/circleci: test_sim_gaia_simulation_after_import Your tests passed on CircleCI!
Details
ci/circleci: upload_coverage Your tests passed on CircleCI!
Details
codecov/patch Coverage not affected when comparing 0d63c92...0c53a02
Details
codecov/project 54.83% remains the same compared to 0d63c92
Details

@cwgoes cwgoes deleted the cwgoes/fix-token-printing-attack branch Jan 2, 2019

cwgoes added a commit that referenced this pull request Jan 2, 2019

Merge PR #3207: Fix token printing bug
* Add IsPositive, case check on coins[0]
* Link to correct PR
* Add testcase
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.