Closed c4-bot-2 closed 6 months ago
141345 marked the issue as primary issue
141345 marked the issue as sufficient quality report
Yes, the local cache is designed to allow data loss.
However, there is no function for a worker to insert data into the cache. Workers are always honest as they run in TEE and always be verified before running a contract.
kvinwang (sponsor) disputed
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/local_cache.rs#L100-L125 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/local_cache.rs#L58-L90
Vulnerability details
Impact
A malicious worker can forcibly have cache data removed
Proof of Concept
The function set allows a contract to add data to the cache shown here
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/local_cache.rs#L100-L125
Also pay attention to the following function fit size that is nested inside the function apply quotas
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/local_cache.rs#L55-L79
Since the cache has a max size, a malicious worker can forcibly remove data by increasing the size of the cache by calling the function set and then calling the function apply quotas, which calls the nested function fit_size. This will allow the bad actor to forcibly remove innocent data that was removed too early by adding fluff data to exceed the max size.
Example:
An attacker discovers that the cache's maximum size is set to 10MB. They decide to exploit the system by inserting "fluff" data into the cache. The attacker creates numerous key-value pairs, where each pair is approximately 1MB in size. They use the set function to insert these pairs one by one into the cache. After inserting the first 10 pairs, the cache reaches its maximum capacity of 10MB.
To exacerbate the situation, the attacker continues to insert additional fluff data. For every new insertion that exceeds the 10MB limit, the cache management system evicts the oldest data to make room for the new data, as dictated by the fit_size method. This process results in legitimate data being prematurely removed from the cache.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider adding a rate limit (e.g. limit per user) to mitigate such an attack
Assessed type
DoS