[alias]

wasm = "build --release --lib --target wasm32-unknown-unknown"

unit-test = "test --lib"

schema = "run --bin schema"

[package]

name = "oaksecurity-cosmwasm-ctf-06"

version = "0.1.0"

authors = ["Oak Security <[email protected]>"]

edition = "2021"

exclude = [

# Those files are rust-optimizer artifacts. You might want to commit them for convenience but they should not be part of the source code publication.

"contract.wasm",

"hash.txt",

]

[lib]

crate-type = ["cdylib", "rlib"]

[profile.release]

opt-level = 3

debug = false

rpath = false

lto = true

debug-assertions = false

codegen-units = 1

panic = 'abort'

incremental = false

overflow-checks = true

[features]

backtraces = ["cosmwasm-std/backtraces"]

library = []

[package.metadata.scripts]

optimize = """docker run --rm -v "$(pwd)":/code \

[dependencies]

cosmwasm-schema = "1.1.3"

cosmwasm-std = "1.1.3"

cosmwasm-storage = "1.1.3"

cw-storage-plus = "1.0.1"

cw2 = "1.0.1"

cw20 = "1.0.1"

cw20-base = "1.0.1"

schemars = "0.8.10"

serde = { version = "1.0.145", default-features = false, features = ["derive"] }

thiserror = { version = "1.0.31" }

[dev-dependencies]

cw-multi-test = "0.16.2"

The contract allow anyone to propose themselves for the `owner` role of the contract, the rest of the users can vote in favor by sending a governance token.

If a proposal was voted for with more than a third of the current supply, the user gets the `owner` role.

pub enum ExecuteMsg {

Propose {},

ResolveProposal {},

OwnerAction {

action: CosmosMsg,

},

Receive(Cw20ReceiveMsg),

}

Please check the challenge's [integration_tests](./src/integration_tests.rs) for expected usage examples.

You can use these tests as a base to create your exploit Proof of Concept.

**:house: Base scenario:**

- The contract is newly instantiated

**:star: Goal for the challenge:**

- Demonstrate how a proposer can obtain the owner role without controlling 1/3 of the total supply.

fn main() {}

use cosmwasm_std::{

entry_point, from_binary, to_binary, Binary, CosmosMsg, Deps, DepsMut, Env, MessageInfo,

QueryRequest, Response, StdResult, Uint128, WasmQuery,

use crate::error::ContractError;

use crate::msg::{Cw20HookMsg, ExecuteMsg, InstantiateMsg, QueryMsg};

use crate::state::{Config, Proposal, CONFIG, PROPOSAL};

use cw20::{BalanceResponse, Cw20QueryMsg, Cw20ReceiveMsg, TokenInfoResponse};

pub const DENOM: &str = "uawesome";

pub fn instantiate(

deps: DepsMut,

_env: Env,

_info: MessageInfo,

msg: InstantiateMsg,

) -> Result<Response, ContractError> {

let config = Config {

voting_window: msg.window,

voting_token: deps.api.addr_validate(&msg.token)?,

owner: deps.api.addr_validate(&msg.owner)?,

};

CONFIG.save(deps.storage, &config)?;

Ok(Response::new()

.add_attribute("action", "instantiate")

.add_attribute("voting_window", msg.window.to_string())

.add_attribute("voting_token", msg.token)

.add_attribute("owner", msg.owner))

pub fn execute(

deps: DepsMut,

env: Env,

info: MessageInfo,

msg: ExecuteMsg,

) -> Result<Response, ContractError> {

match msg {

ExecuteMsg::Propose {} => propose(deps, env, info),

ExecuteMsg::ResolveProposal {} => resolve_proposal(deps, env, info),

ExecuteMsg::OwnerAction { action } => owner_action(deps, info, action),

ExecuteMsg::Receive(msg) => receive_cw20(deps, env, info, msg),

}

pub fn receive_cw20(

deps: DepsMut,

env: Env,

info: MessageInfo,

cw20_msg: Cw20ReceiveMsg,

) -> Result<Response, ContractError> {

let config = CONFIG.load(deps.storage)?;

let current_proposal = PROPOSAL.load(deps.storage)?;

match from_binary(&cw20_msg.msg) {

Ok(Cw20HookMsg::CastVote {}) => {

if config.voting_token != info.sender {

return Err(ContractError::Unauthorized {});

}

if current_proposal

.timestamp

.plus_seconds(config.voting_window)

< env.block.time

{

return Err(ContractError::VotingWindowClosed {});

}

Ok(Response::default()

.add_attribute("action", "Vote casting")

.add_attribute("voter", cw20_msg.sender)

.add_attribute("power", cw20_msg.amount))

}

_ => Ok(Response::default()),

}

pub fn propose(deps: DepsMut, env: Env, info: MessageInfo) -> Result<Response, ContractError> {

let current_proposal = PROPOSAL.load(deps.storage);

if current_proposal.is_ok() {

return Err(ContractError::ProposalAlreadyExists {});

}

PROPOSAL.save(

deps.storage,

&Proposal {

proposer: info.sender.clone(),

timestamp: env.block.time,

},

)?;

Ok(Response::new()

.add_attribute("action", "New proposal")

.add_attribute("proposer", info.sender))

pub fn resolve_proposal(

deps: DepsMut,

env: Env,

_info: MessageInfo,

) -> Result<Response, ContractError> {

let config = CONFIG.load(deps.storage)?;

let current_proposal = PROPOSAL.load(deps.storage)?;

if current_proposal

.timestamp

.plus_seconds(config.voting_window)

< env.block.time

{

return Err(ContractError::ProposalNotReady {});

}

let vtoken_info: TokenInfoResponse =

deps.querier.query(&QueryRequest::Wasm(WasmQuery::Smart {

contract_addr: config.voting_token.to_string(),

msg: to_binary(&Cw20QueryMsg::TokenInfo {})?,

}))?;

let balance: BalanceResponse = deps.querier.query(&QueryRequest::Wasm(WasmQuery::Smart {

contract_addr: config.voting_token.to_string(),

msg: to_binary(&Cw20QueryMsg::Balance {

address: env.contract.address.to_string(),

})?,

}))?;

let mut response = Response::new().add_attribute("action", "resolve_proposal");

if balance.balance >= (vtoken_info.total_supply / Uint128::from(3u32)) {

CONFIG.update(deps.storage, |mut config| -> StdResult<_> {

config.owner = current_proposal.proposer;

Ok(config)

})?;

response = response.add_attribute("result", "Passed");

} else {

PROPOSAL.remove(deps.storage);

response = response.add_attribute("result", "Failed");

}

Ok(response)

pub fn owner_action(

deps: DepsMut,

info: MessageInfo,

msg: CosmosMsg,

) -> Result<Response, ContractError> {

let config = CONFIG.load(deps.storage)?;

if config.owner != info.sender {

return Err(ContractError::Unauthorized {});

}

Ok(Response::new()

.add_attribute("action", "owner_action")

.add_message(msg))

pub fn query(deps: Deps, env: Env, msg: QueryMsg) -> StdResult<Binary> {

match msg {

QueryMsg::Config {} => to_binary(&query_config(deps)?),

QueryMsg::Proposal {} => to_binary(&query_proposal(deps)?),

QueryMsg::Balance {} => to_binary(&query_balance(deps, env)?),

}

pub fn query_config(deps: Deps) -> StdResult<Config> {

CONFIG.load(deps.storage)

pub fn query_proposal(deps: Deps) -> StdResult<Proposal> {

PROPOSAL.load(deps.storage)

pub fn query_balance(deps: Deps, env: Env) -> StdResult<Uint128> {

let config = CONFIG.load(deps.storage)?;

let balance: BalanceResponse = deps.querier.query(&QueryRequest::Wasm(WasmQuery::Smart {

contract_addr: config.voting_token.to_string(),

msg: to_binary(&Cw20QueryMsg::Balance {

address: env.contract.address.to_string(),

})?,

}))?;

Ok(balance.balance)

use cosmwasm_std::StdError;

use thiserror::Error;

pub enum ContractError {

#[error("{0}")]

Std(#[from] StdError),

#[error("Unauthorized")]

Unauthorized {},

#[error("The voting window is closed")]

VotingWindowClosed {},

#[error("A proposal already exists")]

ProposalAlreadyExists {},

#[error("No proposal exists")]

ProposalDoesNotExists {},

#[error("The proposal is not ready yet")]

ProposalNotReady {},