patch-1

Author: Reecepbcups

x/wasm/keeper/keeper.go

@@ -266,6 +266,18 @@ func (k Keeper) importCode(ctx sdk.Context, codeID uint64, codeInfo types.CodeIn
 	return nil
 }
 
+func (k Keeper) checkIfFundsAreFromDisallowedModule(ctx sdk.Context, ak types.AccountKeeper, runAs sdk.AccAddress) error {
+	// Runs on Governance Instantiate & Execute after we check for funds
+	// Without this check, invariance and halt can be caused from the distribution module
+	// via a governance proposal if this was allowed.
+	moduleName := "distribution"
+	if runAs.String() == ak.GetModuleAddress(moduleName).String() {
+		return fmt.Errorf("cannot send funds from %s module account", moduleName)
+	}
+
+	return nil
+}
+
 func (k Keeper) instantiate(
 	ctx sdk.Context,
 	codeID uint64,
@@ -332,6 +344,10 @@ func (k Keeper) instantiate(
 	}
 	// deposit initial contract funds
 	if !deposit.IsZero() {
+		if err := k.checkIfFundsAreFromDisallowedModule(ctx, k.accountKeeper, creator); err != nil {
+			return nil, nil, err
+		}
+
 		if err := k.bank.TransferCoins(ctx, creator, contractAddress, deposit); err != nil {
 			return nil, nil, err
 		}
@@ -408,6 +424,10 @@ func (k Keeper) execute(ctx sdk.Context, contractAddress sdk.AccAddress, caller
 
 	// add more funds
 	if !coins.IsZero() {
+		if err := k.checkIfFundsAreFromDisallowedModule(ctx, k.accountKeeper, caller); err != nil {
+			return nil, err
+		}
+
 		if err := k.bank.TransferCoins(ctx, caller, contractAddress, coins); err != nil {
 			return nil, err
 		}

x/wasm/types/expected_keepers.go

@@ -43,6 +43,8 @@ type AccountKeeper interface {
 	GetAccount(ctx sdk.Context, addr sdk.AccAddress) authtypes.AccountI
 	// Set an account in the store.
 	SetAccount(ctx sdk.Context, acc authtypes.AccountI)
+	// Gets an account from the module's human readable name.
+	GetModuleAddress(moduleName string) sdk.AccAddress
 }
 
 // DistributionKeeper defines a subset of methods implemented by the cosmos-sdk distribution keeper