Closed c4-bot-3 closed 3 months ago
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ecall_impl.rs#L66 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ecall_impl.rs#L59-L62
import_latest_system_code is not transparent enough to use for substrate blockchain
The function setup allows a user to setup a cluster shown here
fn setup(&mut self, config: ClusterSetupConfig) -> Result<(), String> { on_genesis(); let ClusterSetupConfig { cluster_id, owner, deposit, gas_price, deposit_per_item, deposit_per_byte, treasury_account, system_code, } = config; PalletPink::set_cluster_id(cluster_id); PalletPink::set_gas_price(gas_price); PalletPink::set_deposit_per_item(deposit_per_item); PalletPink::set_deposit_per_byte(deposit_per_byte); PalletPink::set_treasury_account(&treasury_account);
Here we see that cluster_id is typed as a hash which in the case of pink! is a blake2-256 hash
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/capi/src/types.rs#L5
The problem here is that the blake2-256 is not transparent, making this
Manual Review
Use a more transparent hash for cluster_id
Other
Withdrawn by Cryptor
OpenCoreCH marked the issue as nullified
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ecall_impl.rs#L66 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ecall_impl.rs#L59-L62
Vulnerability details
Impact
import_latest_system_code is not transparent enough to use for substrate blockchain
Proof of Concept
The function setup allows a user to setup a cluster shown here
Here we see that cluster_id is typed as a hash which in the case of pink! is a blake2-256 hash
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/capi/src/types.rs#L5
The problem here is that the blake2-256 is not transparent, making this
Tools Used
Manual Review
Recommended Mitigation Steps
Use a more transparent hash for cluster_id
Assessed type
Other