Skip to content

fix(x/bank): cap denom-unit + alias length during metadata validation#26426

Open
ozpool wants to merge 1 commit into
cosmos:mainfrom
ozpool:fix/26012-denom-unit-count-limit
Open

fix(x/bank): cap denom-unit + alias length during metadata validation#26426
ozpool wants to merge 1 commit into
cosmos:mainfrom
ozpool:fix/26012-denom-unit-count-limit

Conversation

@ozpool
Copy link
Copy Markdown
Contributor

@ozpool ozpool commented May 15, 2026

What

Closes #26012.

Metadata.Validate had no semantic size limit on DenomUnits or per-unit Aliases, so a payload like { DenomUnits: <1M entries> } passes today's per-entry checks. The issue calls out exactly this: "It makes it easy for malicious actor to construct large message."

Add a count cap on each slice. The caps fire during the existing Validate path, so genesis ingestion, MsgSetDenomMetadata, and gov-proposal flows all inherit them for free without changing surface or invariants.

Constant Value Headroom rationale
MaxDenomUnits 100 Real-world tokens publish 2-4 entries (uatom/matom/atom). 100 absorbs unusual reference-currency mappings (decimal divisions, alt locale shorthand) without admitting unbounded payloads.
MaxDenomUnitAliases 32 Production usage is 1-3 aliases per unit. 32 is generous for niche shorthand sets.

Tests

x/bank/types/metadata_test.go::TestMetadataValidate picks up three new cases:

  • too many denom units (#26012)MaxDenomUnits + 1 entries → rejected.
  • denom units at exact cap — exactly MaxDenomUnits entries (with sort + display invariants intact via buildMetadataWithDenomUnits) → accepted.
  • too many aliases on a denom unit (#26012)MaxDenomUnitAliases + 1 aliases on one unit → rejected.
$ go test ./x/bank/types/ -run TestMetadata -count=1
ok      github.com/cosmos/cosmos-sdk/x/bank/types       0.997s

$ go test ./x/bank/types/ -count=1
ok      github.com/cosmos/cosmos-sdk/x/bank/types       0.540s

$ gofmt -l x/bank/types/metadata.go x/bank/types/metadata_test.go
(clean)

$ go vet ./x/bank/types/
(clean)

CHANGELOG

Per maintainer convention, leaving the ### Bug Fixes entry for the merger to add at landing time alongside the assigned PR number. Suggested line:

* (x/bank) [#XXXX](https://github.com/cosmos/cosmos-sdk/pull/XXXX) Cap `Metadata.DenomUnits` and `DenomUnit.Aliases` length during validation so a malicious actor cannot construct an arbitrarily large coin-metadata message (Fixes #26012).

@ozpool
fix(x/bank): cap denom-unit slice + alias slice length during validat…
bd067f7 
…ion (cosmos#26012)

cosmos#26012 flagged that Metadata.Validate has no semantic size limit on
DenomUnits or per-unit Aliases, so a malicious actor can submit a
metadata payload that bloats SetDenomMetadata storage without paying
proportional gas. Add a count cap on each:

- MaxDenomUnits = 100 — well above the 2-4 entries real-world tokens
  publish (uatom/matom/atom-style ladders), generous enough to absorb
  unusual reference-currency mappings.
- MaxDenomUnitAliases = 32 — production usage is one to three; 32 still
  blocks unbounded payloads.

Both caps fire during Metadata.Validate via a single len() check, so the
existing genesis / msg_server / proposal validation paths inherit them
for free.

Tests added in x/bank/types/metadata_test.go cover the new cases:

- too many denom units (MaxDenomUnits+1) -> rejected
- denom units at exact cap -> accepted
- too many aliases on a denom unit (MaxDenomUnitAliases+1) -> rejected

x/bank/types tests: ok 0.540s. gofmt + go vet clean.
@ozpool ozpool requested a review from a team as a code owner May 15, 2026 11:13
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented May 15, 2026

PR author is not in the allowed authors list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Problem: no semantic size limit for denom units

1 participant

@ozpool