HAL-03 lack of validation on setblacklist message

[juniuszhou]

Description

The SetBlacklist message does not have any validation performed on itvia the ValidateBasic() method. It is recommended to always perform validations on messages via ValidateBasic() when possible.
A lack of validation here could allow for bad, meaningless data to be stored in the chain’s state, leading to unpredictable behaviour.
An attacker could also use this feature to deny service to Ethereum addresses that provide useful functionality to users, and thus degrade the availability of software functionality.

Recommendation

It is recommended to perform validation in ValidateBasic whenever possi�ble. In this specific case, JSON is passed into the Message containing Ethereum addresses.

The following list of validations could be performed:

1. The JSON contains only valid Ethereum addresses
2. Addresses that are used by the application (such as the Peggy bridge contract, other contracts known to be safe, contract libraries used by Sifchain, and so on) should not be permitted in the blacklist

Note that these suggestions are non-exhaustive, and it may be appropriate to add additional validations depending on the desired functionality of the blacklist.

[juniuszhou]

#3219 add the check for ethereum address. But for specific addresses like Peggy bridge contract or other contracts we deployed in Ethereum not checked.

[juniuszhou]

I don't think it is necessary to add these special contract address into consideration. If @Brando753 or @smartyalgo agree with me, we can close the issue.