Closed c4-bot-1 closed 3 months ago
141345 marked the issue as sufficient quality report
seems invalid
it is called in setup()
when initialize the cluster
Only worker can call it.
kvinwang (sponsor) disputed
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime/pallet_pink.rs#L178-L192
Vulnerability details
Proof of Concept
Take a look at https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime/pallet_pink.rs#L178-L192
These functions allow any account to modify the storage items by simply calling the corresponding function with the desired value. There are no checks to ensure the caller has the necessary privileges.
Impact
The provided Phala pallet contract lacks explicit access control mechanisms for modifying critical storage items like gas price, deposit values, and potentially others. This creates a security concern because any account interacting with the contract could potentially manipulate these values.
An attacker could exploit this lack of access control to:
The severity of the impact depends on the specific use case and how these storage items are used within the Phala runtime.
Recommended Mitigation Steps
Assessed type
Access Control