From d3370f231aaf4876649b4d88993b7ff3a3ff676d Mon Sep 17 00:00:00 2001 From: Assaf Morami Date: Thu, 11 May 2023 17:35:12 +0300 Subject: [PATCH 1/2] fix(feegrant): infinite feegrant bug (#16097) --- x/feegrant/filtered_fee.go | 12 ++++- x/feegrant/filtered_fee_test.go | 82 +++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 x/feegrant/filtered_fee_test.go diff --git a/x/feegrant/filtered_fee.go b/x/feegrant/filtered_fee.go index f83f3c5f6277..b9eaff18cbd0 100644 --- a/x/feegrant/filtered_fee.go +++ b/x/feegrant/filtered_fee.go @@ -63,7 +63,17 @@ func (a *AllowedMsgAllowance) Accept(ctx sdk.Context, fee sdk.Coins, msgs []sdk. return false, err } - return allowance.Accept(ctx, fee, msgs) + remove, err := allowance.Accept(ctx, fee, msgs) + if err != nil { + return false, err + } + + a.Allowance, err = types.NewAnyWithValue(allowance.(proto.Message)) + if err != nil { + return false, err + } + + return remove, nil } func (a *AllowedMsgAllowance) allowedMsgsToMap(ctx sdk.Context) map[string]bool { diff --git a/x/feegrant/filtered_fee_test.go b/x/feegrant/filtered_fee_test.go new file mode 100644 index 000000000000..a1be11fa65ab --- /dev/null +++ b/x/feegrant/filtered_fee_test.go @@ -0,0 +1,82 @@ +package feegrant_test + +import ( + "testing" + "time" + + bank "github.com/cosmos/cosmos-sdk/x/bank/types" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + tmproto "github.com/tendermint/tendermint/proto/tendermint/types" + + codectypes "github.com/cosmos/cosmos-sdk/codec/types" + "github.com/cosmos/cosmos-sdk/simapp" + sdk "github.com/cosmos/cosmos-sdk/types" + "github.com/cosmos/cosmos-sdk/x/feegrant" +) + +func TestFilteredFeeValidAllow(t *testing.T) { + app := simapp.Setup(false) + + smallAtom := sdk.NewCoins(sdk.NewInt64Coin("atom", 488)) + bigAtom := sdk.NewCoins(sdk.NewInt64Coin("atom", 1000)) + leftAtom := sdk.NewCoins(sdk.NewInt64Coin("atom", 512)) + + basicAllowance, _ := codectypes.NewAnyWithValue(&feegrant.BasicAllowance{ + SpendLimit: bigAtom, + }) + + cases := map[string]struct { + allowance *feegrant.AllowedMsgAllowance + // all other checks are ignored if valid=false + fee sdk.Coins + blockTime time.Time + valid bool + accept bool + remove bool + remains sdk.Coins + }{ + "internal fee is updated": { + allowance: &feegrant.AllowedMsgAllowance{ + Allowance: basicAllowance, + AllowedMessages: []string{"/cosmos.bank.v1beta1.MsgSend"}, + }, + fee: smallAtom, + accept: true, + remove: false, + remains: leftAtom, + }, + } + + for name, stc := range cases { + tc := stc // to make scopelint happy + t.Run(name, func(t *testing.T) { + err := tc.allowance.ValidateBasic() + require.NoError(t, err) + + ctx := app.BaseApp.NewContext(false, tmproto.Header{}).WithBlockTime(tc.blockTime) + + // now try to deduct + removed, err := tc.allowance.Accept(ctx, tc.fee, []sdk.Msg{ + &bank.MsgSend{ + FromAddress: "gm", + ToAddress: "gn", + Amount: tc.fee, + }, + }) + if !tc.accept { + require.Error(t, err) + return + } + require.NoError(t, err) + + require.Equal(t, tc.remove, removed) + if !removed { + var basicAllowanceLeft feegrant.BasicAllowance + app.AppCodec().Unmarshal(tc.allowance.Allowance.Value, &basicAllowanceLeft) + + assert.Equal(t, tc.remains, basicAllowanceLeft.SpendLimit) + } + }) + } +} From 9abd946ba0cdc6d0e708bf862b2ca202b13f2d7b Mon Sep 17 00:00:00 2001 From: Julien Robert Date: Thu, 11 May 2023 17:30:38 +0200 Subject: [PATCH 2/2] chore: prepare v0.45.16 release (#16111) --- CHANGELOG.md | 12 ++++++++++-- RELEASE_NOTES.md | 37 ++++--------------------------------- 2 files changed, 14 insertions(+), 35 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5030fde408cb..595bd5e3e8b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,11 +35,19 @@ Ref: https://keepachangelog.com/en/1.0.0/ # Changelog -## [Unreleased] +Since **v0.45.15**, the v0.45.x line of the Cosmos SDK has reached end-of-life. +Any release after **v0.45.15** is a security release that contains security fixes. +It is strongly recommended to upgrade to these releases as well. + +## [v0.45.16](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.16) - 2023-05-11 + +### Security Bug Fixes + +* (x/feegrant) [#16097](https://github.com/cosmos/cosmos-sdk/pull/16097) Fix infinite feegrant allowance bug. ## [v0.45.15](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.15) - 2023-03-22 -## Improvements +### Improvements * (deps) Migrate to [CometBFT](https://github.com/cometbft/cometbft). Follow the instructions in the [release notes](./RELEASE_NOTES.md). * (deps) [#15127](https://github.com/cosmos/cosmos-sdk/pull/15127) Bump btcd. diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index c4864c3e91dd..265dd8cc42ba 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,21 +1,12 @@ -# Cosmos SDK v0.45.15 Release Notes +# Cosmos SDK v0.45.16 Release Notes -This release includes the migration to [CometBFT v0.34.27](https://github.com/cometbft/cometbft/blob/v0.34.27/CHANGELOG.md#v03427). -This migration should be minimally breaking for chains. -From `v0.45.15`+, the following replace is *mandatory* in the `go.mod` of your application: +The Cosmos SDK v0.45.x line has reached end-of-life since v0.45.15. This is an exceptional security release according to our [release policy](https://github.com/cosmos/cosmos-sdk/blob/2262199/RELEASE_PROCESS.md#major-release-maintenance). -```go -// use cometbft -replace github.com/tendermint/tendermint => github.com/cometbft/cometbft v0.34.27 -``` - -Additionally, the SDK sets its minimum version to Go 1.19. This is not because the SDK uses new Go 1.19 functionalities, but to signal that we recommend chains to upgrade to Go 1.19 — Go 1.18 is not supported by the Go Team anymore. -Note, that SDK recommends chains to use the same Go version across all of their network. -We recommend, as well, chains to perform a **coordinated upgrade** when migrating from Go 1.18 to Go 1.19. +It fixes an issue in the `x/feegrant` module on version <= v0.45.15. Cosmos SDK v0.46.x+ is not affected. Please see the [CHANGELOG](https://github.com/cosmos/cosmos-sdk/blob/release/v0.45.x/CHANGELOG.md) for an exhaustive list of changes. -**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.14...v0.45.15 +**Full Commit History**: https://github.com/cosmos/cosmos-sdk/compare/v0.45.15...v0.45.16 ## End-of-Life Notice @@ -25,23 +16,3 @@ The SDK team maintains the two latest major versions of the SDK. This means no f We encourage all chains to upgrade to the latest release of the SDK, or the `v0.46.x` line. Refer to the [upgrading guide](https://github.com/cosmos/cosmos-sdk/blob/main/UPGRADING.md) for how to upgrade a chain to the latest release. - -## FAQ Migration to CometBFT v0.34.27 - -### I use `tm-db` but I get an import error with `cometbft-db` - -For preventing API breaking changes, the SDK team has kept using `tm-db` for `v0.45.x` and `v0.46.x`. -However, the CometBFT team kept using `cometbft-db` for their `v0.34.x` line. -This means if your app directly interact with CometBFT (e.g. for a force pruning command), you will need to use `cometbft-db` there. -When not interacting with CometBFT directly, you can use `tm-db` as usual. - -### I get import errors with `btcd` - -If you are using an old version of `btcd`, you will need to upgrade to the latest version. -The previous versions had vulnerabilities so the SDK and CometBFT have upgraded to the latest version. -In the latest version `btcsuite/btcd` and `btcsuite/btcd/btcec` are two separate go modules. - -### I encounter state sync issues - -Please ensure you have built the binary with the same Go version as the network. -You can easily verify that by querying `/cosmos/base/tendermint/v1beta1/node_info` of a node in the network, and checking the `go_version` field.