Lack of Input Validation in `ExecSideEffects::into_query_only_effects`

[c4-bot-1]

Lines of code

https://github.com/code-423n4/2024-03-phala-network/blob/main/phala-blockchain/crates/pink/capi/src/types.rs#L78-L104

Vulnerability details

The into_query_only_effects method of the ExecSideEffects enum performs filtering to retain only those events permissible in a query context. However, it lacks input validation to ensure the integrity and authenticity of the input events. Without proper validation, the method may inadvertently process invalid or malicious events, leading to unexpected behavior or vulnerabilities.

Impact

The lack of input validation increases the risk of processing invalid or malicious events, potentially resulting in unexpected behavior, data corruption, or security vulnerabilities. Attackers could exploit this vulnerability to manipulate the behavior of the system or cause denial-of-service (DoS) attacks.

Proof of Concept

// Example of invalid or malicious events being processed without validation
let invalid_event = PinkEvent::new(/* malicious data */);
let side_effects = ExecSideEffects::V1 {
    pink_events: vec![(AccountId::new(), invalid_event)],
    ink_events: vec![],
    instantiated: vec![],
};
let filtered_effects = side_effects.into_query_only_effects();

Tools Used

Manual Review

Recommended Mitigation Steps

Implement thorough input validation in the into_query_only_effects method to ensure the integrity and authenticity of the input events. Validate each event to verify its correctness before filtering based on permissions. This can help prevent unexpected behavior and potential vulnerabilities resulting from processing invalid or malicious events.

Assessed type

Invalid Validation

[141345]

there is match above

[c4-pre-sort]

141345 marked the issue as insufficient quality report

[c4-judge]

OpenCoreCH marked the issue as unsatisfactory: Invalid