From 93d14d50bd79fc8fc993c4e0a10911ef018ccb5e Mon Sep 17 00:00:00 2001
From: Joe Monem <jmonem@icloud.com>
Date: Mon, 16 Dec 2024 14:59:05 +0200
Subject: [PATCH] fix: check sender in ibc_receive_internal_call in router and
 factory, comment typo

---
 contracts/hub/router/src/execute.rs            | 2 +-
 contracts/hub/router/src/ibc/receive.rs        | 4 ++++
 contracts/liquidity/factory/src/contract.rs    | 2 +-
 contracts/liquidity/factory/src/ibc/receive.rs | 8 +++++++-
 4 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/contracts/hub/router/src/execute.rs b/contracts/hub/router/src/execute.rs
index ca012a8..bab0b4d 100644
--- a/contracts/hub/router/src/execute.rs
+++ b/contracts/hub/router/src/execute.rs
@@ -408,7 +408,7 @@ pub fn execute_release_escrow(
 
     ensure!(
         transfer_amount.checked_add(remaining_withdraw_amount)? == amount,
-        ContractError::new("Amount mismatch after trasnfer calculations")
+        ContractError::new("Amount mismatch after transfer calculations")
     );
 
     if !transfer_amount.is_zero() {
diff --git a/contracts/hub/router/src/ibc/receive.rs b/contracts/hub/router/src/ibc/receive.rs
index 09b5770..b63d35c 100644
--- a/contracts/hub/router/src/ibc/receive.rs
+++ b/contracts/hub/router/src/ibc/receive.rs
@@ -74,6 +74,10 @@ pub fn ibc_receive_internal_call(
     info: MessageInfo,
     msg: IbcPacketReceiveMsg,
 ) -> Result<Response, ContractError> {
+    ensure!(
+        info.sender == env.contract.address,
+        ContractError::Unauthorized {}
+    );
     // Get the chain data from current channel received
     let channel = msg.packet.dest.channel_id;
     let chain_uid = CHANNEL_TO_CHAIN_UID.load(deps.storage, channel)?;
diff --git a/contracts/liquidity/factory/src/contract.rs b/contracts/liquidity/factory/src/contract.rs
index 6a0ca2f..b33ffdd 100644
--- a/contracts/liquidity/factory/src/contract.rs
+++ b/contracts/liquidity/factory/src/contract.rs
@@ -225,7 +225,7 @@ pub fn execute(
             ibc::ack_and_timeout::ibc_ack_packet_internal_call(deps, info, env, ack)
         }
         ExecuteMsg::IbcCallbackReceive { receive_msg } => {
-            ibc::receive::ibc_receive_internal_call(deps, env, receive_msg)
+            ibc::receive::ibc_receive_internal_call(deps, env, info, receive_msg)
         }
         ExecuteMsg::NativeReceiveCallback { msg } => {
             execute_native_receive_callback(deps, env, info, msg)
diff --git a/contracts/liquidity/factory/src/ibc/receive.rs b/contracts/liquidity/factory/src/ibc/receive.rs
index 664beb6..7bd083c 100644
--- a/contracts/liquidity/factory/src/ibc/receive.rs
+++ b/contracts/liquidity/factory/src/ibc/receive.rs
@@ -2,7 +2,7 @@
 use cosmwasm_std::entry_point;
 use cosmwasm_std::{
     ensure, from_json, to_json_binary, CosmosMsg, DepsMut, Env, IbcPacketReceiveMsg,
-    IbcReceiveResponse, Response, StdError, SubMsg, Uint128, WasmMsg,
+    IbcReceiveResponse, MessageInfo, Response, StdError, SubMsg, Uint128, WasmMsg,
 };
 use euclid::{
     chain::{ChainUid, CrossChainUserWithLimit},
@@ -54,8 +54,14 @@ pub fn ibc_packet_receive(
 pub fn ibc_receive_internal_call(
     deps: DepsMut,
     env: Env,
+    info: MessageInfo,
     msg: IbcPacketReceiveMsg,
 ) -> Result<Response, ContractError> {
+    ensure!(
+        info.sender == env.contract.address,
+        ContractError::Unauthorized {}
+    );
+
     let router = msg.packet.src.port_id.replace("wasm.", "");
     let state = STATE.load(deps.storage)?;
     ensure!(