Problem: sender check for MsgStoreBlockList is not in CheckTx

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## UNRELEASED
+
+### Improvements
+
+* [#1613](https://github.com/crypto-org-chain/cronos/pull/1613) Check admin sender for MsgStoreBlockList in check tx.
+
 *Sep 24, 2024*
 
 ## v1.3.2

app/app.go

@@ -1021,7 +1021,7 @@ func (app *App) setAnteHandler(txConfig client.TxConfig, maxGasWanted uint64, bl
 
 		blockedMap[string(addr)] = struct{}{}
 	}
-	blockAddressDecorator := NewBlockAddressesDecorator(blockedMap)
+	blockAddressDecorator := NewBlockAddressesDecorator(blockedMap, app.CronosKeeper.GetParams)
 
 	options := evmante.HandlerOptions{
 		AccountKeeper:          app.AccountKeeper,

app/block_address.go

@@ -3,17 +3,25 @@ package app
 import (
 	"fmt"
 
+	"cosmossdk.io/errors"
 	sdk "github.com/cosmos/cosmos-sdk/types"
+	sdkerrors "github.com/cosmos/cosmos-sdk/types/errors"
+	"github.com/crypto-org-chain/cronos/v2/x/cronos/types"
 )
 
 // BlockAddressesDecorator block addresses from sending transactions
 type BlockAddressesDecorator struct {
 	blockedMap map[string]struct{}
+	getParams  func(ctx sdk.Context) types.Params
 }
 
-func NewBlockAddressesDecorator(blacklist map[string]struct{}) BlockAddressesDecorator {
+func NewBlockAddressesDecorator(
+	blacklist map[string]struct{},
+	getParams func(ctx sdk.Context) types.Params,
+) BlockAddressesDecorator {
 	return BlockAddressesDecorator{
 		blockedMap: blacklist,
+		getParams:  getParams,
 	}
 }
 
@@ -26,6 +34,14 @@ func (bad BlockAddressesDecorator) AnteHandle(ctx sdk.Context, tx sdk.Tx, simula
 				}
 			}
 		}
+		admin := bad.getParams(ctx).CronosAdmin
+		for _, msg := range tx.GetMsgs() {
+			if blocklistMsg, ok := msg.(*types.MsgStoreBlockList); ok {
+				if admin != blocklistMsg.From {
+					return ctx, errors.Wrap(sdkerrors.ErrUnauthorized, "msg sender is not authorized")
+				}
+			}
+		}
 	}
 	return next(ctx, tx, simulate)
 }

x/cronos/types/messages.go

@@ -347,7 +347,8 @@ func (msg *MsgStoreBlockList) ValidateBasic() error {
 	if err != nil {
 		return errors.Wrapf(sdkerrors.ErrInvalidAddress, "invalid sender address (%s)", err)
 	}
-
+	// skip heavy operation in Decrypt by early return with errDummyIdentity in
+	// https://github.com/FiloSottile/age/blob/v1.1.1/age.go#L197
 	_, err = age.Decrypt(bytes.NewBuffer(msg.Blob), new(dummyIdentity))
 	if err != nil && err != errDummyIdentity {
 		return err

x/cronos/types/messages_test.go

@@ -1,16 +1,20 @@
 package types_test
 
 import (
+	"bytes"
 	"fmt"
+	"log"
 	"testing"
 
-	"github.com/crypto-org-chain/cronos/v2/app"
+	"filippo.io/age"
+	sdk "github.com/cosmos/cosmos-sdk/types"
+	cmdcfg "github.com/crypto-org-chain/cronos/v2/cmd/cronosd/config"
 	"github.com/crypto-org-chain/cronos/v2/x/cronos/types"
 	"github.com/stretchr/testify/require"
 )
 
 func TestValidateMsgUpdateTokenMapping(t *testing.T) {
-	app.SetConfig()
+	cmdcfg.SetBech32Prefixes(sdk.GetConfig())
 
 	testCases := []struct {
 		name     string
@@ -54,3 +58,68 @@ func TestValidateMsgUpdateTokenMapping(t *testing.T) {
 		})
 	}
 }
+
+func TestValidateMsgStoreBlockList(t *testing.T) {
+	cmdcfg.SetBech32Prefixes(sdk.GetConfig())
+
+	publicKey := "age1cy0su9fwf3gf9mw868g5yut09p6nytfmmnktexz2ya5uqg9vl9sss4euqm"
+	recipient, err := age.ParseX25519Recipient(publicKey)
+	if err != nil {
+		log.Fatalf("Failed to parse public key %q: %v", publicKey, err)
+	}
+
+	from := "crc12luku6uxehhak02py4rcz65zu0swh7wjsrw0pp"
+	blob := []byte("valid blob data")
+	testCases := []struct {
+		name        string
+		msg         *types.MsgStoreBlockList
+		noEncrypt   bool
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			"valid message",
+			types.NewMsgStoreBlockList(from, blob),
+			false,
+			false,
+			"",
+		},
+		{
+			"invalid sender address",
+			types.NewMsgStoreBlockList("invalid", blob),
+			false,
+			true,
+			"invalid sender address",
+		},
+		{
+			"decryption error",
+			types.NewMsgStoreBlockList(from, blob),
+			true,
+			true,
+			"failed to read header",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			if !tc.noEncrypt {
+				out := new(bytes.Buffer)
+				w, err := age.Encrypt(out, recipient)
+				require.NoError(t, err)
+				_, err = w.Write(tc.msg.Blob)
+				require.NoError(t, err)
+				err = w.Close()
+				require.NoError(t, err)
+				tc.msg.Blob = out.Bytes()
+			}
+
+			err = tc.msg.ValidateBasic()
+			if tc.expectError {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.errorMsg)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}