ABCI methods panic

A panic inside an ABCI method (e.g., EndBlocker) will stop the chain. There should be no unanticipated panics in these methods.

Some less expected panic sources are:

• Coins, DecCoins, Dec, Int, and UInt types panics a lot, for example on overflows and rounding errors
• new Dec panics
• x/params's SetParamSet panics if arguments are invalid

Example

The application below enforces limits on how much coins can be borrowed globally. If the loan.Borrowed array of Coins can be forced to be not-sorted (by coins' denominations), the Add method will panic.

Moreover, the Mul may panic if some asset's price becomes large.

func BeginBlocker(ctx sdk.Context, k keeper.Keeper) {
    if !validateTotalBorrows(ctx, k) {
        k.PauseNewLoans(ctx)
    }
}

func validateTotalBorrows(ctx sdk.Context, k keeper.Keeper) {
    total := sdk.NewCoins()
    for _, loan := range k.GetUsersLoans() {
        total.Add(loan.Borrowed...)
    }

    for _, totalOneAsset := range total {
        if totalOneAsset.Amount.Mul(k.GetASsetPrice(totalOneAsset.Denom)).GTE(k.GetGlobalMaxBorrow()) {
            return false
        }
    }
    return true
}

Mitigations

• Use CodeQL static analysis to detect panics in ABCI methods
• Review the code against unexpected panics

External examples

• Gravity Bridge can panic in multiple locations in the EndBlocker method
• Agoric panics purposefully if the PushAction method returns an error
• Setting invalid parameters in x/distribution module causes panic in BeginBlocker. Valid parameters are described in the documentation.