Open c4-bot-4 opened 6 months ago
141345 marked the issue as insufficient quality report
wasm bytecode size invalid, the attacker pays the fee
kvinwang (sponsor) acknowledged
wasm bytecode size invalid, the attacker pays the fee
Correct. And there is a size limit check on-chain. But an additional check in the pink-runtime is a nice to have feature. Better as a QA level.
kvinwang (sponsor) confirmed
kvinwang marked the issue as disagree with severity
OpenCoreCH changed the severity to QA (Quality Assurance)
OpenCoreCH marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/runtime/src/runtime/pallet_pink.rs#L134-L146
Vulnerability details
Vulnerability details
The put_sidevm_code function within the specified pallet allows for the storage of wasm bytecode associated with a given owner account. and this function computes a fee based on the size of the bytecode plus a static item deposit fee. However, there is no explicit check or limit on the maximum size of the bytecode vector (Vec) that can be stored. Consequently, this oversight facilitates a potential attack vector where a malicious user could upload excessively large wasm binaries, leading to unchecked resource consumption. Such actions could significantly degrade blockchain performance due to storage exhaustion, increase operational costs for node operators, and potentially lead to a denial-of-service condition.
Impact
A malicious actor could exploit this vulnerability by repeatedly uploading very large wasm binaries to the blockchain. Since there's no explicit limit on the code size that can be stored, these actions could lead to significant storage consumption on nodes participating in the blockchain network.
Proof of Concept
as result : the Codes of varying sizes, ranging from 10 bytes to 10,000,000 bytes, were stored successfully for a single owner, 'Alice'. With each increase in code size, the fee calculated and collected also increased proportionally, based on the simplistic fee calculation model (1 unit per byte of code plus a flat fee of 100 units). The test concluded with a total of 11,111,810 units collected in fees, reflecting the cumulative cost of storing all the provided codes.
Tools Used
manual review
Recommended Mitigation Steps
need a checks on the size of the wasm bytecode being uploaded through the put_sidevm_code function. Establish a maximum allowable size for wasm binaries that balances the need for legitimate functionality with the prevention of abuse
Assessed type
Other