Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04NTNwLTU2NzgtaHY4Zs4AAz3Y
ink! vulnerable to incorrect decoding of storage value when using `DelegateCall`
Summary
The return value when using delegate call mechanics, either through CallBuilder::delegate or ink_env::invoke_contract_delegate, is being decoded incorrectly.
Description
Consider this minimal example:
// First contract, this will be performing a delegate call to the `Callee`.
#[ink(storage)]
pub struct Caller {
value: u128,
}
#[ink(message)]
pub fn get_value(&self, callee_code_hash: Hash) -> u128 {
let result = build_call::<DefaultEnvironment>()
.delegate(callee_code_hash)
.exec_input(ExecutionInput::new(Selector::new(ink::selector_bytes!(
"get_value"
))))
.returns::<u128>()
.invoke();
result
}
// Different contract, using this code hash for the delegate call.
#[ink(storage)]
pub struct Callee {
value: u128,
}
#[ink(message)]
pub fn get_value(&self) -> u128 {
self.value
}
In this example we are executing the Callee code in the context of the Caller contract. This means we'll be using the storage values of the Caller contract.
Running this code we expect the delegate call to return value as it was stored in the Caller contract. However, due to the reported bug a different value is returned (for the case of uints it is 256 times the expected value).
Impact
After conducting an analysis of the on-chain deployments of ink! contracts on Astar, Shiden, Aleph Zero, Amplitude and Pendulum, we have found that no contracts on those chains have been affected by the issue.
This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of https://github.com/paritytech/ink/pull/1450. Since this feature was only released in ink! 4.0.0 no previous versions are affected.
Mitigations
If you have an ink! 4.x series contract, please update it to the 4.2.1 patch release that we just published.
Credits
Thank you Facundo Lerena from CoinFabrik for reporting this problem in a well-structured and responsible way.
Permalink: https://github.com/advisories/GHSA-853p-5678-hv8fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NTNwLTU2NzgtaHY4Zs4AAz3Y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Identifiers: GHSA-853p-5678-hv8f, CVE-2023-34449
References:
- https://github.com/paritytech/ink/security/advisories/GHSA-853p-5678-hv8f
- https://github.com/paritytech/ink/pull/1450
- https://github.com/paritytech/ink/commit/f1407ee9f87e5f64d467a22d26ee88f61db7f3db
- https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate
- https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-34449
- https://github.com/advisories/GHSA-853p-5678-hv8f
Blast Radius: 10.8
Affected Packages
cargo:ink_env
Dependent packages: 42Dependent repositories: 110
Downloads: 246,761 total
Affected Version Ranges: >= 4.0.0, < 4.2.1
Fixed in: 4.2.1
All affected versions: 4.0.0, 4.0.1, 4.1.0, 4.2.0
All unaffected versions: 0.0.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.3.0, 3.3.1, 3.4.0, 4.2.1, 4.3.0, 5.0.0
cargo:ink
Dependent packages: 19Dependent repositories: 106
Downloads: 98,829 total
Affected Version Ranges: >= 4.0.0, < 4.2.1
Fixed in: 4.2.1
All affected versions: 4.0.0, 4.0.1, 4.1.0, 4.2.0
All unaffected versions: 0.0.0, 4.2.1, 4.3.0, 5.0.0