7 matches found
The sendToCosmos function does not check for transfer-on-fee/deflationary tokens
Lines of code Gravity.solL595-L609 Vulnerability details Impact The documentation describes the use of tokens other than CUDOS in the Gravity.sol contract; so it is assumed that the CUDOS token will not be the only supported token. The documentation also states that validators on the Tendermint...
Missing powerThreshold validation in function updateValset(in Gravity.sol) could cause the contract non-functional
Lines of code Vulnerability details Impact When the cumulative power of validators in newValset is less than or equal to statepowerThreshold, the checkValidatorSignatures function would fail. Eventually, submitBatch, submitLogicCall & updateValset would fail for the new set of validators. This wi...
The Gravity.sol should have pause/unpause functionality
Lines of code Vulnerability details Impact In case a hack is occuring or an exploit is discovered, the team or validators in this case should be able to pause functionality until the necessary changes are made to the system. Additionally, the gravity.sol contract should be manged by proxy so that...
Tokens with fee on transfer are not supported
Lines of code Vulnerability details There are ERC20 tokens that charge fee for every transfer or transferFrom. In the current implementation, sendToCosmos assumes that the received amount is the same as the transfer amount, and uses it to emit SendToCosmosEvent event. As a result, when bridging t...
Freeze The Bridge Via Large ERC20 Names/Symbols/Denoms
Handle nascent Vulnerability details Ethereum Oracles watch for events on the Gravity.sol contract on the Ethereum blockchain. This is performed in the checkforevents function, ran in the ethoraclemainloop. In this function, there is the following code snippet: let erc20deployed = web3...
The gravity.sol router should have pause/unpause functionality.
Handle tensors Vulnerability details In case a hack is occuring or an exploit is discovered, the team or validators in this case should be able to pause functionality until the necessary changes are made to the system. Additionally, the gravity.sol contract should be manged by proxy so that...
Does the cosmos-sdk listen to only 1 gravity.sol contract address?
Handle tensors Vulnerability details Recently Thorchain which uses cosmos, was hacked because the Thorchain environment listened to emitted events from routers other than the intended one. This allowed a hacker to create a malicious router. Within the ethmainloop of the orchestrator, is the...