Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In the Cosmos SDK, a vesting account is a type of account whose coins are locked for some vesting schedule. A periodic vesting account will give out funds at defined intervals. A clawback account has an additional locking period, after which the vesting funds are received.

Both periodic and clawback accounts do not validate their input upon account creation. The code fails to validate that the amount in each vesting period is positive. There are several variants of the input validation being missing here in forks of the Cosmos SDK as well.

So, what's the impact? Initialize a vesting account but make the funds impossible to withdraw. By adding negative token amounts such as -1stake, the validation of the bank module to ensure a user isn't overdrawing amounts will panic.

To make this work, the authors claim that you would want to see a new account being created, frontrun it and poison it. This account can now receive funds back it cannot take them out. Frontrunning is unlikely to occur in Cosmos but is technically possible.

To fix the bug, simply validate that all amounts are positive. Overall, a good read and learning into vesting accounts in the Cosmos SDK.