The problem
When creating UpdateChannelPayouts proposal the user provides UpdateChannelPayoutsParameters. Those parameters include payload.uploader_account which is then used to pay the bloat bond and fees for uploading the payload to council storage bag.
The problem is that there is no signature verification for this account, so it can be set by malicious proposal creator to any account at all (including runtime module accounts), which with the help of malicious or irresponsible council can lead to serious security issues.
Possible fix
One of the possible fixes would be to disallow providing this account as part of the parameters and let the runtime set it to proposal creator's member controller account instead (during proposal creation).
┆Issue is synchronized with this Asana task by Unito
The problem
When creating
UpdateChannelPayoutsproposal the user provides UpdateChannelPayoutsParameters. Those parameters includepayload.uploader_accountwhich is then used to pay the bloat bond and fees for uploading the payload to council storage bag.The problem is that there is no signature verification for this account, so it can be set by malicious proposal creator to any account at all (including runtime module accounts), which with the help of malicious or irresponsible council can lead to serious security issues.
Possible fix
One of the possible fixes would be to disallow providing this account as part of the parameters and let the runtime set it to proposal creator's member controller account instead (during proposal creation).
┆Issue is synchronized with this Asana task by Unito