logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-5v93-9mqw-p9mh orml-rewards

Package

Manager: cargo
Name: orml-rewards
Vulnerable Version: >=0 <1.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Uncaught Panic in ORML Rewards Pallet ## Summary A vulnerability in the `add_share` function of the **Rewards** pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the `u128` range. ## Affected Components - **ORML Rewards** pallet (`rewards/src/lib.rs`) - Any Substrate-based chain using ORML Rewards with `add_share` accepting unvalidated large `u128` inputs ## Technical Details - `add_share` performs arithmetic on user-supplied values (`add_amount`) of type `T::Share` (mapped to `u128` in Acala). - If `add_amount` is large enough (e.g., `i128::MAX`), the intermediate result may overflow and panic on the cast to `u128`. - Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow. ## Impact A malicious user submitting a specially crafted extrinsic can cause a panic in the runtime: - **Denial of Service** by crashing the node process. - **Potential for invalid blocks** produced by validators. ## Likelihood This issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed `u128` bounds. ## Remediation - This issue is fixed in https://github.com/open-web3-stack/open-runtime-module-library/pull/1016 ## Backport The patch have been backported to following release branches: - polkadot-stable2407 - polkadot-stable2409 A 1.0.1 patch release is made with this fix.

Metadata

Created: 2025-02-14T17:26:08Z
Modified: 2025-02-14T17:26:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-5v93-9mqw-p9mh/GHSA-5v93-9mqw-p9mh.json
CWE IDs: ["CWE-248"]
Alternative ID: N/A
Finding: F140
Auto approve: 1