Closed c4-bot-2 closed 3 months ago
https://github.com/code-423n4/2024-03-phala-network/blob/main/phala-blockchain/crates/pink/runtime/src/storage/external_backend.rs#L34
Detailed description of the impact of this finding. k[k.len() - 32.. k.len() can be less than 32.
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
impl CommitTransaction for ExternalBackend { fn commit_transaction(&mut self, root: Hash, mut transaction: BackendTransaction) { let changes = transaction .drain() .into_iter() @> .map(|(k, v)| (k[k.len() - 32..].to_vec(), v)) .collect(); OCallImpl.storage_commit(root, changes) } }
check that k.len() > 32
Context
141345 marked the issue as duplicate of #80
OpenCoreCH marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/main/phala-blockchain/crates/pink/runtime/src/storage/external_backend.rs#L34
Vulnerability details
Impact
Detailed description of the impact of this finding. k[k.len() - 32.. k.len() can be less than 32.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
impl CommitTransaction for ExternalBackend { fn commit_transaction(&mut self, root: Hash, mut transaction: BackendTransaction) {
let changes = transaction
.drain()
.into_iter()
@> .map(|(k, v)| (k[k.len() - 32..].to_vec(), v))
.collect();
OCallImpl.storage_commit(root, changes)
}
}
Tools Used
Recommended Mitigation Steps
check that k.len() > 32
Assessed type
Context