Risky IBC channel-id Validation

[Hellobloc]

Summary of Bug

This repo is an Evmos-based project, and Evmos uses a magic string to identify the opposing chain in IBC protocol to address this vulnerability.. But This practice is bad for their fork projects, as other projects can easily have differences in channel-id when building links with chains like ATOM, leading to incorrect implementations.

        //https://github.com/zama-ai/evmos/blob/main/x/claims/types/params.go#L40-L46
	DefaultAuthorizedChannels = []string{
		"channel-0", // Osmosis
		"channel-3", // Cosmos Hub
	}
	DefaultEVMChannels = []string{
		"channel-2", // Injective
	}

Failure to properly handle these channel-ids and claim methods may result in the above vulnerability not being fixed and still presenting the risk. This is because a malicious user can hijack the relevant channel-id to masquerade as an ATOM and Osmosis chain.

Impact

This issue may leave the claim method still at risk of the above vulnerability when this project's IBC and Claim function is alive.

Additional context

https://github.com/zama-ai/evmos/blob/main/x/claims/types/params.go#L146-L154
https://github.com/zama-ai/evmos/blob/main/x/claims/types/params.go#L25-L31
https://github.com/zama-ai/evmos/blob/main/x/claims/keeper/ibc_callbacks.go#L138-L140

Recommendations

We recommend removing the claim function when the claim method is not used or safeguard the consistency of chain-id to avoid potential risks resulting from future updates.

---

Please note that there are also issues related to the authentication of EVMchannels.

This means that IsEVMChannel() check are also at risk.

---

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[github-actions]

This issue is stale because it has been open 45 days with no activity. Remove Status: Stale label or comment or this will be closed in 7 days.