There's suffering from inconsistent error handling and a lack of proper error propagation. Some functions, such as instantiate and bare_call, return raw Vec<u8> without proper error propagation, making it difficult to determine the success or failure of the operation. Additionally, the codebase relies on the anyhow crate for error handling, which provides flexibility but may lead to inconsistencies in how errors are handled across different parts of the system.
The instantiate and bare_call functions return ContractInstantiateResult and ContractExecResult respectively, which are raw Vec<u8> types. This makes it difficult for the caller to determine the success or failure of the operation and handle errors appropriately.
The issue is the Inconsistent usage of error-handling mechanisms, such as mixing the use of anyhow with other error-handling approaches.
Returning raw Vec<u8> instead of a structured error type, which makes it difficult to distinguish between successful and error cases.
Impact
Errors may be silently swallowed or not properly propagated, making it challenging to diagnose and fix issues.
Tools Used
Manual audit
Recommended Mitigation Steps
Define a consistent error handling strategy across the codebase, using a common error type or trait that can be used to represent and propagate errors.
Update functions like instantiate and bare_call to return a structured result type, such as Result<T, E>, where T represents the success value and E represents the error type.
Ensure that errors are properly propagated and not swallowed silently. Use the ? operator or match expressions to handle and propagate errors explicitly.
Provide clear and informative error messages that include relevant context and details about the error, making it easier to diagnose and fix issues.
Consider using a more robust error handling framework or library, such as thiserror or anyhow, to define custom error types and provide additional error context.
By establishing a consistent error handling strategy and properly propagating errors, the codebase can be made more maintainable, reliable, and secure. It allows for better error diagnosis, handling, and logging, reducing the chances of unexpected behavior or security vulnerabilities.
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/contract.rs#L149-L230
Vulnerability details
MED: Inconsistent Error Handling and Lack of Proper Error Propagation LOC: pub fn instantiate, pub fn bare_call
Description
There's suffering from inconsistent error handling and a lack of proper error propagation. Some functions, such as
instantiate
andbare_call
, return rawVec<u8>
without proper error propagation, making it difficult to determine the success or failure of the operation. Additionally, the codebase relies on theanyhow
crate for error handling, which provides flexibility but may lead to inconsistencies in how errors are handled across different parts of the system.The
instantiat
e andbare_call
functions returnContractInstantiateResult
andContractExecResult
respectively, which are rawVec<u8> types
. This makes it difficult for the caller to determine the success or failure of the operation and handle errors appropriately.The issue is the Inconsistent usage of error-handling mechanisms, such as mixing the use of
anyhow
with other error-handling approaches.Returning raw
Vec<u8>
instead of a structured error type, which makes it difficult to distinguish between successful and error cases.Impact
Errors may be silently swallowed or not properly propagated, making it challenging to diagnose and fix issues.
Tools Used
Manual audit
Recommended Mitigation Steps
Define a consistent error handling strategy across the codebase, using a common error type or trait that can be used to represent and propagate errors.
Update functions like
instantiate
andbare_call
to return a structured result type, such asResult<T, E>
, whereT
represents the success value andE
represents the error type.Ensure that errors are properly propagated and not swallowed silently. Use the
?
operator ormatch
expressions to handle and propagate errors explicitly.Provide clear and informative error messages that include relevant context and details about the error, making it easier to diagnose and fix issues.
Consider using a more robust error handling framework or library, such as
thiserror
oranyhow
, to define custom error types and provide additional error context.By establishing a consistent error handling strategy and properly propagating errors, the codebase can be made more maintainable, reliable, and secure. It allows for better error diagnosis, handling, and logging, reducing the chances of unexpected behavior or security vulnerabilities.
Assessed type
Error