Luis Quispe Gonzales, a security researcher at Halborn discovered a zero-day vulnerability arising from the lack of normalization of addresses in Bech32 specification (a format for SegWit addresses) in CosmWasm, which allows an attacker to bypass validity checks or break storage keys under certain conditions.

Smart contracts based on CosmWasm have been deployed on over 20 blockchains. This vulnerability potentially affects all CosmWasm-based contracts that perform comparisons or other operations based on account addresses.

Understanding the Vulnerability

Bech32 is a format for Segregated Witness (SegWit) addresses. The Bech32 encoding uses an alphabet composed of 32 letters and numbers and allows addresses to be valid if all letters are lowercase or uppercase.

Many developers assume that addresses will always be represented in lowercase or that addr_validate function will normalize them correctly, so they implement critical functionality based on this assumption. 

However, the inadequate handling of uppercase addresses and their lack of normalization in CosmWasm contracts can cause numerous undesirable effects in vulnerable smart contracts.  

Some examples include:

  • Bypassed Validity Checks: A smart contract function may include a validity check that tests against a blocklist of one or more addresses.  If this test assumes that all addresses will be lowercase, the use of an uppercase address can bypass the blocklist.
  • Duplicate Liquidity Pools: Multiple liquidity pools for the same token pair dilute liquidity, which is bad for the protocol and its users.  Many protocols will test to ensure that only one pool exists for a token with a given contract address.  This test can be bypassed by using capitalized addresses, allowing multiple liquidity pools for the same token pair.
  • Permanently Locked Tokens: In CW20 tokens, it is possible to send a token to an uppercase version of a user’s address.  However, these tokens will then be locked forever because the code implementing transfers from that address validates that the address is completely lowercase.

These are only some examples of how CosmWasm-based smart contracts could implement validity checks and other functionality that can be broken by the use of uppercase addresses.  

Vulnerable functions can be easily exploited by an attacker calling them with an uppercase version of an account address.

Remediation

Blockchain security firm Halborn has reported this vulnerability to Confio, a leading blockchain development team focused on building DeFi and interchain projects including CosmWasm. Confio has released a patch for the vulnerability. This patch has been audited by Halborn and corrects the issue by validating correctly the lower-case / upper-case addresses in addr_validate function.

Smart contract developers should audit their code for validity checks and other operations that assume that addresses are lowercase. Once reviewed, chains should upgrade the CosmWasm host to take advantage of the CosmWasm patch for the vulnerability.

Halborn Discovers Zero-Day Vulnerability in CosmWasm Smart Contracts Across 20+ Blockchains
Rob Behnke
04.06.2022