Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-853p-5678-hv8f

Опубликовано: 14 июн. 2023
Источник: github
Github: Прошло ревью
CVSS3: 5.3

Описание

ink! vulnerable to incorrect decoding of storage value when using DelegateCall

Summary

The return value when using delegate call mechanics, either through CallBuilder::delegate or ink_env::invoke_contract_delegate, is being decoded incorrectly.

Description

Consider this minimal example:

// First contract, this will be performing a delegate call to the `Callee`. #[ink(storage)] pub struct Caller { value: u128, } #[ink(message)] pub fn get_value(&self, callee_code_hash: Hash) -> u128 { let result = build_call::<DefaultEnvironment>() .delegate(callee_code_hash) .exec_input(ExecutionInput::new(Selector::new(ink::selector_bytes!( "get_value" )))) .returns::<u128>() .invoke(); result } // Different contract, using this code hash for the delegate call. #[ink(storage)] pub struct Callee { value: u128, } #[ink(message)] pub fn get_value(&self) -> u128 { self.value }

In this example we are executing the Callee code in the context of the Caller contract. This means we'll be using the storage values of the Caller contract.

Running this code we expect the delegate call to return value as it was stored in the Caller contract. However, due to the reported bug a different value is returned (for the case of uints it is 256 times the expected value).

Impact

After conducting an analysis of the on-chain deployments of ink! contracts on Astar, Shiden, Aleph Zero, Amplitude and Pendulum, we have found that no contracts on those chains have been affected by the issue.

This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of https://github.com/paritytech/ink/pull/1450. Since this feature was only released in ink! 4.0.0 no previous versions are affected.

Mitigations

If you have an ink! 4.x series contract, please update it to the 4.2.1 patch release that we just published.

Credits

Thank you Facundo Lerena from CoinFabrik for reporting this problem in a well-structured and responsible way.

Ссылки

Пакеты

Наименование

ink

rust
Затронутые версииВерсия исправления

>= 4.0.0, < 4.2.1

4.2.1

Наименование

ink_env

rust
Затронутые версииВерсия исправления

>= 4.0.0, < 4.2.1

4.2.1

EPSS

Процентиль: 39%
0.00178
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2023-34449

Дефекты

CWE-253
CWE-754

Связанные уязвимости

nvd логотип

CVE-2023-34449

CVSS3: 5.3
nvd
больше 2 лет назад

ink! is an embedded domain specific language to write smart contracts in Rust for blockchains built on the Substrate framework. Starting in version 4.0.0 and prior to version 4.2.1, the return value when using delegate call mechanics, either through `CallBuilder::delegate` or `ink_env::invoke_contract_delegate`, is decoded incorrectly. This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of pull request 1450. Since this feature was only released in ink! 4.0.0, no previous versions are affected. Users who have an ink! 4.x series contract should upgrade to 4.2.1 to receive a patch.

EPSS

Процентиль: 39%
0.00178
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2023-34449

Дефекты

CWE-253
CWE-754