Investigate Authz SpendAllowance draining #25822
Description
Summary of Impact
A state atomicity flaw exists in the Cosmos SDK x/authz module during MsgExec execution.
When an inner message executed via MsgExec fails, the authorization state is still partially mutated. Specifically, the SendAuthorization SpendLimit is reduced even though the execution returns an error.
This violates a fundamental SDK invariant: failed executions must not result in persistent state changes.
The issue occurs because the execution logic does not use a cached context (CacheContext) to ensure atomic rollback on failure.
Steps to Prove / Reproduce (Logic-Level)
1.A grantee is given a SendAuthorization with a SpendLimit of 100 tokens.
2. The grantee submits a MsgExec containing an inner MsgSend for 50 tokens.
3. The granter has insufficient balance, causing the inner MsgSend to fail.
4. MsgExec returns an error, indicating execution failure.
5. Despite the failure, the authorization’s SpendLimit is reduced from 100 to 50.
This process can be repeated to drain the grant without any successful message execution.
Impact
Summary:
This vulnerability allows an attacker (or authorized grantee) to drain or invalidate an authorization grant without any successful execution.
Potential impacts include:
Unauthorized reduction of SpendLimit
Permanent invalidation of valid grants
Denial of delegated execution or fund transfers
Violation of authorization guarantees relied upon by SDK chains The issue affects any chain that uses x/authz for delegated execution and fund movement.