Closed c4-bot-5 closed 5 months ago
141345 marked the issue as primary issue
141345 marked the issue as sufficient quality report
yet to implement random num generation funciton
It's not a deterministic RNG, as the doc says, it is only for query.
kvinwang (sponsor) disputed
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime/extension.rs#L434-L440
Vulnerability details
Proof of Concept
The implementation of the
CallInCommand
structure within the Pink runtime framework presents a potential security risk. Thegetrandom
function consistently returns an empty vector, effectively generating a deterministic "random" number (zero) within a transaction context.Take a look at https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime/extension.rs#L434-L440
It can be seen that this function always returns an empty vector, regardless of the requested length.
Impact
This predictability can negatively impact applications that rely on
getrandom
for randomness within transactions:The severity of this impact depends on how applications utilize the "random" number within transactions. If critical security operations depend on this function, the consequences can be significant.
Recommended Mitigation Steps
Here are some recommendations to address this issue:
getrandom
function withinCallInCommand
to utilize a cryptographically secure random number generator (CSPRNG) that is suitable for the Pink runtime environment. This ensures true randomness even within transactions.Alternatively, an attempt on this method should always error out or clearly document in the Pink runtime documentation that
getrandom
does not return a random number.Assessed type
Context