Back to Koolex's contests

Phat Contract Runtime - Koolex's results

Coprocessor for blockchains

General Information

Platform: Code4rena

Start Date: 01/03/2024

Pot Size: $60,500 USDC

Total HM: 4

Participants: 18

Period: 21 days

Judge: Lambda

Total Solo HM: 3

Id: 344

League: POLKADOT

Phala Network

Findings Distribution

Researcher Performance

Rank: 4/18

Findings: 1

Award: $2,606.45

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryPhala Network

Findings Information

🌟 Selected for report: DadeKuma

Also found by: Koolex, zhaojie

Labels

2 (Med Risk)
bug
downgraded by judge
satisfactory
:robot:_13_group
duplicate-43

Awards

2606.4496 USDC - $2,606.45

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L64

Vulnerability details

Impact

Pink Extension provides the possibility to make HTTP requests as a feature through a query. To prevent DoS related attacks, the HTTP request is set with a timeout of 10 seconds. This way, this feature can not be abused to overload the worker.

However, Pink Extension provides the possibility to make batch HTTP requests as well, when doing so, the timeout is an external input (i.e. dynamic value), and there is no upper limit for the timeout here.

pub fn batch_http_request(requests: Vec<HttpRequest>, timeout_ms: u64) -> ext::BatchHttpResult {
.
.
    block_on(async move {
        let futs = requests
            .into_iter()
            .map(|request| async_http_request(request, timeout_ms));	
.
.
.
fn batch_http_request(
	&self,
	requests: Vec<HttpRequest>,
	timeout_ms: u64,
) -> Result<ext::BatchHttpResult, Self::Error> {
	Ok(batch_http_request(requests, timeout_ms))
}

chain-extension/src/lib.rs#L64 chain-extension/src/lib.rs#L194

This can be abused to set too high value for the timeout (u64::MAX=18446744073709551615).

Proof of Concept

The attack path as follows:

  • The maclious actor deploys a Phala contract which makes 5 HTTP request (5 is maximum) as a batch to a server that's created by the actor.

    const MAX_CONCURRENT_REQUESTS: usize = 5;  
if requests.len() > MAX_CONCURRENT_REQUESTS {
    return Err(ext::HttpRequestError::TooManyRequests);
}

    chain-extension/src/lib.rs#L57

  • This server receives HTTP requests but it delays responses for some time (e.g 1 or 2 hours).

  • The maclious actor sends a query to the worker RPC for the Phala contract.

  • The contract gets executed by Pink Runtime via the worker.

  • This execution will last for 1 hour (assuming the timeout set in the contract is 1 hour, can be even more).

As a consequence, the maclious actor can send too many queries to the same worker for this contract, flooding the worker, leading to a DoS eventually or even a crash since the worker could hit the hard limit of the resources set.

Tools Used

Manual analysis

Add a upper limit for the timeout for the batch HTTP request feature.

Assessed type

DoS

#0 - c4-pre-sort

2024-03-25T01:00:33Z

141345 marked the issue as duplicate of #43

#1 - c4-judge

2024-03-28T08:44:34Z

OpenCoreCH changed the severity to 2 (Med Risk)

#2 - c4-judge

2024-03-28T08:45:43Z

OpenCoreCH marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter