logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-34449 ink

Package

Manager: cargo
Name: ink
Vulnerable Version: >=4.0.0 <4.2.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00178 pctl0.39605

Details

ink! vulnerable to incorrect decoding of storage value when using `DelegateCall` ### Summary The return value when using delegate call mechanics, either through [`CallBuilder::delegate`](https://docs.rs/ink_env/4.2.0/ink_env/call/struct.CallBuilder.html#method.delegate) or [`ink_env::invoke_contract_delegate`](https://docs.rs/ink_env/4.2.0/ink_env/fn.invoke_contract_delegate.html), is being decoded incorrectly. ### Description Consider this minimal example: ```rust // First contract, this will be performing a delegate call to the `Callee`. #[ink(storage)] pub struct Caller { value: u128, } #[ink(message)] pub fn get_value(&self, callee_code_hash: Hash) -> u128 { let result = build_call::<DefaultEnvironment>() .delegate(callee_code_hash) .exec_input(ExecutionInput::new(Selector::new(ink::selector_bytes!( "get_value" )))) .returns::<u128>() .invoke(); result } // Different contract, using this code hash for the delegate call. #[ink(storage)] pub struct Callee { value: u128, } #[ink(message)] pub fn get_value(&self) -> u128 { self.value } ``` In this example we are executing the `Callee` code in the context of the `Caller` contract. This means we'll be using the storage values of the `Caller` contract. Running this code we expect the delegate call to return `value` as it was stored in the `Caller` contract. However, due to the reported bug a different value is returned (for the case of `uint`s it is `256` times the expected value). ### Impact After conducting an analysis of the on-chain deployments of ink! contracts on Astar, Shiden, Aleph Zero, Amplitude and Pendulum, we have found that no contracts on those chains have been affected by the issue. This bug was related to the mechanics around decoding a call's return buffer, which was changed as part of https://github.com/paritytech/ink/pull/1450. Since this feature was only released in ink! 4.0.0 no previous versions are affected. ### Mitigations If you have an ink! 4.x series contract, please update it to the [4.2.1](https://github.com/paritytech/ink/releases/tag/v4.2.1) patch release that we just published. ### Credits Thank you Facundo Lerena from [CoinFabrik](https://www.coinfabrik.com) for reporting this problem in a well-structured and responsible way.

Metadata

Created: 2023-06-14T20:11:38Z
Modified: 2023-06-16T17:57:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-853p-5678-hv8f/GHSA-853p-5678-hv8f.json
CWE IDs: ["CWE-253", "CWE-754"]
Alternative ID: GHSA-853p-5678-hv8f
Finding: F184
Auto approve: 1