Open c4-bot-5 opened 3 months ago
141345 marked the issue as insufficient quality report
PinkEvent is not that complicated
OpenCoreCH changed the severity to QA (Quality Assurance)
Potential QA improvement, but no reasoning / explicit PinkEvent
given how this can lead to problems in the codebase
OpenCoreCH marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime/extension.rs#L61
Vulnerability details
Impact
function
get_side_effects()
uses unbounded decoding of pink events within theContractEvent::ContractEmitted
match arm. Incase, Pink events are highly nested, the decoding process can recursively consume stack space until it exhausts the available stack, resulting in a stack overflow.Proof of Concept
vulnerable part of the function :
The problem is when function attempts to decode Pink events from the data, it does so without any limit on the depth of the decoding process. This means that if the Pink events within the data are structured in a highly nested manneer the decoding process will recursively traverse through each nested level.
Step by Step details how it can happen
Tools Used
Manual Review
Recommended Mitigation Steps
A recommended solutions is to set a depth limit for decoding pink events.
decode_with_depth_limit
method should be used instead ofdecode
to ensure the decoding process doesn't exceed a certain depth and prevent stack overflow. Mitigationn can be done as follows :would look upon judges and sponsor to Adjust the MAX_DEPTH constant based on complexity of Pink events.
Reference
Unbounded Decoding Vulnerability
Assessed type
Under/Overflow