This second challenge will depict a common bug that could have critical consequences, this challenge is about...
Wait ❗ Don't you want to try solving it first? 😎
Try finding the security vulnerability in the contract in ./src
.
If you are stuck or want to skip to the explanation of the vulnerability of this challenge, please check the explanation page or our blog post CosmWasm Security Spotlight #2.
To run the functional tests included with this CosmWasm smart contract:
cargo test --tests -- unittests
To run the proof of concept:
cargo test --tests -- exploit
Reading and understanding real audit findings is a great way to ensure that you got a grasp of the current security topic. Please check the below list of Oak Security's audit reports 🔍 where this same bug was discovered in a real-world audit:
- Report 1 finding #1 "Task contract execute_update_config is permissionless"
- Report 2 finding #1 "Incorrect permissioning of IbcExecuteProposal execution leads to failure of proposal execution and elevated owner privileges"
- Report 3 finding #6 "Emergency ShutDownVamms messages are not able to execute SetOpen transactions due to lack of permissions"