Keeper Send Coins does not perform expected validation #414
Comments
|
Seems reasonable. I would prefer to just using the service module rather than the keeper. ADR 33 is about deprecating direct keeper access anyway. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary
Within the CosmWasm keeper the function that sends coins using the bank module performs some of the validation that should be within the bank keeper but not all. Currently the blockedaddresses are checked but not the send_enabled coins. This allows a smart contract to bypass restrictions that prevent account holders from transfering coins
wasmd/x/wasm/internal/keeper/keeper.go
Line 333 in d0befd9
The bank module only performs the send disabled checks on the msg_server send method.
https://github.com/cosmos/cosmos-sdk/blob/73e38e4009a57951b72e2998b4e3d5db2d499d04/x/bank/keeper/msg_server.go#L29
Proposed Fix
The CosmWasm project should either implement all of the checks the bankmodule does on the send method or optionally switch from the direct unprotected keeper call to using the Send method which implements these checks
The text was updated successfully, but these errors were encountered: