Open c4-bot-8 opened 3 months ago
141345 marked the issue as primary issue
141345 marked the issue as sufficient quality report
contradicts doc specs
kvinwang (sponsor) confirmed
OpenCoreCH marked the issue as satisfactory
OpenCoreCH marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime/extension.rs#L270
Vulnerability details
Impact
According to the documentation (online and in-line), the availability of the balance_of(...) method (see code below) should be any contract instead of system only which is caused by the present
ensure_system
check.The ensure_system(...) method returns a
BadOrigin
error in case the caller/origin is not the system contract.Consequence:
The availability of the balance_of(...) method is limited to the system contract instead of being accessible to anyone. Therefore, user contracts relying on this method will inevitably fail.
For comparison:
The
import_latest_system_code(...)
method has consistent system only availability according to the implementation and documentation.Proof of Concept
Please add the test case below to
phala-blockchain/crates/pink/runtime/tests/test_pink_contract.rs
and run it withcargo test test_balance_of -- --nocapture
.The test will fail with a BadOrigin error as discussed above.
Tools Used
Manual review
Recommended Mitigation Steps
Remove the
ensure_system
check from the balance_of(...) method to ensure availability for any contract.Assessed type
Invalid Validation