Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicate accounts in cw20 initial balances causes unrecoverable inconsistent state #626

Closed
harryscholes opened this issue Jan 10, 2022 · 3 comments · Fixed by #659
Closed

Duplicate accounts in cw20 initial balances causes unrecoverable inconsistent state #626

harryscholes opened this issue Jan 10, 2022 · 3 comments · Fixed by #659
Assignees
@harryscholes
Milestone
v0.11.1

Comments

@harryscholes
Copy link
Contributor

If initial_balances contains one or more duplicate accounts, these accounts will have the balance of the final balance saved to state, whilst the total_supply will be the sum over all initial balances provided.

cw-plus/contracts/cw20-base/src/contract.rs

Lines 154 to 162 in 501efe8

pub fn create_accounts(deps: &mut DepsMut, accounts: &[Cw20Coin]) -> StdResult<Uint128> {
let mut total_supply = Uint128::zero();
for row in accounts {
let address = deps.api.addr_validate(&row.address)?;
BALANCES.save(deps.storage, &address, &row.amount)?;
total_supply += row.amount;
}
Ok(total_supply)
}

Example:

#[test]
fn inconsistent_total_supply_with_duplicate_accounts_in_initial_balances() {
    let mut deps = mock_dependencies(&[]);
    let instantiate_msg = InstantiateMsg {
        name: "Cash Token".to_string(),
        symbol: "CASH".to_string(),
        decimals: 9,
        initial_balances: vec![
            Cw20Coin {
                address: String::from("addr0000"),
                amount: Uint128::from(1u128),
            },
            Cw20Coin {
                address: String::from("addr0000"),
                amount: Uint128::from(1u128),
            },
        ],
        mint: None,
        marketing: None,
    };
    let info = mock_info("creator", &[]);
    let env = mock_env();
    instantiate(deps.as_mut(), env, info, instantiate_msg).unwrap();

    let token_info = query_token_info(deps.as_ref()).unwrap();
    assert_eq!(token_info.total_supply, Uint128::new(2));
    assert_eq!(get_balance(deps.as_ref(), "addr0000"), Uint128::new(1));
}

Should we assert that all accounts in initial_balances are unique? Happy to make a PR for this if there is interest.

NB this was found in an audit of Mars protocol in a contract that was forked from the cw-plus cw20-base contract.
@ethanfrey
Copy link
Member

Thank you for this report. It would be good to assert that all addresses in the initial_balances list only appear once, and fail if there are duplicates

@ethanfrey ethanfrey added this to the v0.11.1 milestone Jan 25, 2022
@maurolacy maurolacy self-assigned this Jan 28, 2022
@maurolacy
Copy link
Contributor

maurolacy commented Jan 28, 2022
edited
Loading

@harryscholes do you want to provide a fix for this? I'll assign it to you then.

@maurolacy maurolacy assigned harryscholes and unassigned maurolacy Jan 28, 2022
@harryscholes
Copy link
Contributor Author

harryscholes commented Jan 28, 2022
edited
Loading

Thanks @maurolacy. I'll submit a PR in the next couple of weeks

@harryscholes harryscholes mentioned this issue Feb 15, 2022
Merged
@tac0turtle tac0turtle mentioned this issue Mar 23, 2022
Closed
ethanfrey added a commit to harryscholes/cw-plus that referenced this issue Mar 24, 2022
@ethanfrey
Merge branch 'main' into fix-CosmWasm#626
4de633f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harryscholes harryscholes

Labels
None yet
Projects
None yet
Milestone
v0.11.1
Development

Successfully merging a pull request may close this issue.

cw20-base: validate addresses are unique in initial balances harryscholes/cw-plus
3 participants
@ethanfrey @harryscholes @maurolacy