search

code-423n4 / 2024-03-phala-network-findings

0 stars 0 forks source link

Insecure Randomness Generation In Pink Runtime #29

Closed c4-bot-10 closed 3 months ago

c4-bot-10 commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime.rs#L33 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime.rs#L101

Vulnerability details

Impact

The PinkRuntime framework incorporates the pallet_insecure_randomness_collective_flip pallet for randomness generation, leads to an insecure approach to generate random values, which could potentially be manipulated or anticipated

Proof of Concept

The Randomness Collective Flip pallet utilizes the hashes of the previous 81 blocks to generate a random value.

This appraoch show above is less secure becasue the randomness depends on previous blocks which is predictable and is discouraged for use in production environments in rust docs

frame_support::construct_runtime! {
    pub struct PinkRuntime {
        System: frame_system,
        Timestamp: pallet_timestamp,
        Balances: pallet_balances,
@>      Randomness: pallet_insecure_randomness_collective_flip, 
        Contracts: pallet_contracts,
        Pink: pallet_pink,
    }
}
@> impl pallet_insecure_randomness_collective_flip::Config for PinkRuntime {}

Tools Used

Manual Review

Recommended Mitigation Steps

it is recommended to use more secure appraoch utilizing VRF from the Pallet Babe for randomness generation in PinkRuntime. VRFs provide verifiably random outputs, which are difficult ro predict or influence. 

frame_support::construct_runtime! {
    pub struct PinkRuntime {
        System: frame_system,
        Timestamp: pallet_timestamp,
        Balances: pallet_balances,
-       Randomness: pallet_insecure_randomness_collective_flip, 
+       Randomness: pallet_babe,
        Contracts: pallet_contracts,
        Pink: pallet_pink,
    }
}
- impl pallet_insecure_randomness_collective_flip::Config for PinkRuntime {}
+ impl pallet_babe::Config for PinkRuntime {}

References

Rust Docs - Insecure Randomness Generation

Polkadot Forum

1. Insecure Randomness Generation

Assessed type

Error

c4-pre-sort commented 3 months ago

141345 marked the issue as duplicate of #19

c4-judge commented 3 months ago

OpenCoreCH marked the issue as unsatisfactory: Invalid