The fee_public can be used to delete all the Aleo credits from user
Summary
The fee_public method can be used to delete all the Aleo credits from user
Vulnerability Detail
self.signer is equivalent to tx.origin, where the self.signer is the originator of the transaction.
This creates a huge risk when used in fee_public because a malicious Aleo program in the call flow can make an external call to fee_public in credits.aleo and set any fee amount to delete which can cause all the Aleo credits of the transaction originator to be deleted.
// The `fee_public` function charges the specified amount from the sender's account.
function fee_public:
// Input the amount.
input r0 as u64.public;
// Input the priority fee amount.
input r1 as u64.public;
// Input the deployment or execution ID.
input r2 as field.public;
// Ensure the amount is nonzero.
assert.neq r0 0u64;
// Ensure the deployment or execution ID is nonzero.
assert.neq r2 0field;
// Add the fee and priority fee amounts.
add r0 r1 into r3;
// Decrement the balance of the sender publicly.
async fee_public self.signer r3 into r4;
// Output the finalize future.
output r4 as credits.aleo/fee_public.future;
finalize fee_public:
// Input the sender's address.
input r0 as address.public;
// Input the total fee amount.
input r1 as u64.public;
// Retrieve the balance of the sender.
// If `account[r0]` does not exist, `fee_public` is reverted.
get account[r0] into r2;
// Decrements `account[r0]` by `r1`.
// If `r2 - r1` underflows, `fee_public` is reverted.
sub r2 r1 into r3;
// Updates the balance of the sender.
set r3 into account[r0];
haxatron
High
The
fee_public
can be used to delete all the Aleo credits from userSummary
The
fee_public
method can be used to delete all the Aleo credits from userVulnerability Detail
self.signer
is equivalent totx.origin
, where theself.signer
is the originator of the transaction.This creates a huge risk when used in
fee_public
because a malicious Aleo program in the call flow can make an external call tofee_public
incredits.aleo
and set any fee amount to delete which can cause all the Aleo credits of the transaction originator to be deleted.https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L1004-L1035
Impact
All the Aleo credits from user can be deleted
Code Snippet
https://github.com/sherlock-audit/2024-05-aleo/blob/main/snarkVM/synthesizer/program/src/resources/credits.aleo#L1004-L1035
Tool used
Manual Review
Recommendation
Not sure how this should be fixed.
Duplicate of #15