search

code-423n4 / 2024-03-phala-network-findings

0 stars 0 forks source link

import_system_code is not transparent enough to use for substrate blockchain #10

Closed c4-bot-3 closed 3 months ago

c4-bot-3 commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ecall_impl.rs#L66 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ecall_impl.rs#L59-L62

Vulnerability details

Impact

import_latest_system_code is not transparent enough to use for substrate blockchain

Proof of Concept

The function setup allows a user to setup a cluster shown here 

  fn setup(&mut self, config: ClusterSetupConfig) -> Result<(), String> {
        on_genesis();
        let ClusterSetupConfig {
            cluster_id,
            owner,
            deposit,
            gas_price,
            deposit_per_item,
            deposit_per_byte,
            treasury_account,
            system_code,
        } = config;
        PalletPink::set_cluster_id(cluster_id);
        PalletPink::set_gas_price(gas_price);
        PalletPink::set_deposit_per_item(deposit_per_item);
        PalletPink::set_deposit_per_byte(deposit_per_byte);
        PalletPink::set_treasury_account(&treasury_account);

Here we see that cluster_id is typed as a hash which in the case of pink! is a blake2-256 hash

https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/capi/src/types.rs#L5

The problem here is that the blake2-256 is not transparent, making this

Tools Used

Manual Review

Recommended Mitigation Steps

Use a more transparent hash for cluster_id

Assessed type

Other

c4-bot-7 commented 3 months ago

Withdrawn by Cryptor

c4-judge commented 3 months ago

OpenCoreCH marked the issue as nullified