refactor: replace GetAllBalances call inside rewards InitGenesis (#14)

## Description

This PR replaces the `GetAllBalances` call inside the `x/rewards`
`InitGenesis` method which can be exploited by malicious users to
prevent chain start.

<!-- Add a description of the changes that this PR introduces and the
files that
are the most critical to review. -->

---

### Author Checklist

*All items are required. Please add a note to the item if the item is
not applicable and
please add links to any relevant follow up issues.*

I have...

- [x] included the correct [type
prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json)
in the PR title
- [ ] added `!` to the type prefix if API or client breaking change
- [x] targeted the correct branch (see [PR
Targeting](https://github.com/milkyway-labs/milkyway/blob/master/CONTRIBUTING.md#pr-targeting))
- [x] provided a link to the relevant issue or specification
- [x] followed the guidelines for [building
modules](https://docs.cosmos.network/v0.44/building-modules/intro.html)
- [ ] included the necessary unit and integration
[tests](https://github.com/milkyway-labs/milkyway/blob/master/CONTRIBUTING.md#testing)
- [ ] added a changelog entry to `CHANGELOG.md`
- [x] included comments for [documenting Go
code](https://blog.golang.org/godoc)
- [ ] updated the relevant documentation or specification
- [x] reviewed "Files changed" and left comments if necessary
- [x] confirmed all CI checks have passed

### Reviewers Checklist

*All items are required. Please add a note if the item is not applicable
and please add
your handle next to the items reviewed if you only reviewed selected
items.*

I have...

- [ ] confirmed the correct [type
prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json)
in the PR title
- [ ] confirmed `!` in the type prefix if API or client breaking change
- [ ] confirmed all author checklist items have been addressed
- [ ] reviewed state machine logic
- [ ] reviewed API design and naming
- [ ] reviewed documentation is accurate
- [ ] reviewed tests and test coverage
- [ ] manually tested (if applicable)

---------

Co-authored-by: Alpo <[email protected]>
(cherry picked from commit ede14aa)

x/rewards/keeper/genesis.go

@@ -312,15 +312,24 @@ func (k *Keeper) InitGenesis(ctx sdk.Context, state *types.GenesisState) error {
 	if rewardsPoolAcc == nil {
 		return fmt.Errorf("rewards pool module account has not been set")
 	}
-	rewardsPoolBalances := k.bankKeeper.GetAllBalances(ctx, rewardsPoolAcc.GetAddress())
+
+	totalOutstandingRewardsTruncated, _ := totalOutstandingRewards.TruncateDecimal()
+
+	// Get the rewards pool balances based on the denoms that have outstanding rewards
+	// This is to avoid the call to GetAllBalances which can be exploited by a malicious user
+	// since it iterates unboundedly over the full address balance
+	rewardsPoolBalances := sdk.NewCoins()
+	for _, outstandingReward := range totalOutstandingRewards {
+		rewardsPoolBalance := k.bankKeeper.GetBalance(ctx, rewardsPoolAcc.GetAddress(), outstandingReward.Denom)
+		rewardsPoolBalances = rewardsPoolBalances.Add(rewardsPoolBalance)
+	}
 
 	// Save the rewards pool module account if balances are zero.
 	// This code is taken from Cosmos SDK.
 	if rewardsPoolBalances.IsZero() {
 		k.accountKeeper.SetModuleAccount(ctx, rewardsPoolAcc)
 	}
 
-	totalOutstandingRewardsTruncated, _ := totalOutstandingRewards.TruncateDecimal()
 	if totalOutstandingRewardsTruncated.IsAnyGT(rewardsPoolBalances) {
 		return fmt.Errorf("rewards pool module balance does not match the module holdings: %s < %s",
 			rewardsPoolBalances,