Closed c4-bot-5 closed 3 months ago
141345 marked the issue as primary issue
141345 marked the issue as sufficient quality report
unused parts in TransactionArguments
struct
The transfer
is handled by pallet-contracts
.
kvinwang (sponsor) disputed
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/capi/ecall_impl.rs#L306-L310
Vulnerability details
Impact
It won't be possible to send funds to contracts by using the
transfer
field of theTransactionArguments
struct, as the runtime only takes into account thebalances
field for that.Proof of Concept
In Substrate, we use the Balanes pallet to be able to send funds from one address to another. In such a crate, there are several functions to accomplish this, but the ecall's implementation makes use of deposit_creating, which will always add the funds to the callee address (unless some requirements are met). If we go to:
ecall_impl.rs, function handle_deposit
we see that such a function is responsible of this task, which is called by
contract_call
andcontract_instantiate
. However, it only checks for thedeposit
field of theTransactionArguments
struct, even though it is possible to transfer funds by setting its value to0
and setting up the fieldtransfer
:That means if the caller tries to transfer funds as explained above, the logical branch inside
handle_deposit
won't be triggered and no funds will be transfered to the callee at all.Recommended Mitigation Steps
I would modify the
handle_deposit
function like the following to take into account both cases:so that either users send tokens via the
deposit
field or thetransfer
one, but not both at a time.Assessed type
Other