pendulum-chain
Integer overflow in oracle pallet in spacewalk
Context
Issue found by SRL labs in the semi-automated audit.
Summary
An integer overflow in the oracle pallet can be abused by a malicious oracle.
Issue details
There is an integer overflow inside the oracle::begin_block function which is called upon block initialization. A malicious oracle can trigger this overflow by updating the coin info with high supply and price values via set_updated_coin_infos call inside Pendulum's dia-oracle pallet.
Here is an example call parameters that will trigger the overflow in the next block initialization:
RuntimeCall::DiaOracleModule(Call::set_updated_coin_infos {
coin_infos: [(
([0], [0]),
CoinInfo {
symbol: [],
name: [0],
blockchain: [],
supply: 45172881575663848363994640109535494224,
last_update_timestamp: 60000533389444330,
price: 338974337383797358236404514952583315520,
})]
});
Risk
By triggering this integer overflow, a malicious oracle can:
Crash the nodes compiled in debug mode with overflow checks enabled On nodes which have overflow checks disabled, unexpected behaviors and logic inconsistencies We assigned a severity of low to this issue since it can only be triggered by permissioned oracles.
Mitigation
Implement proper integer overflow handling by checking call arguments and using safe arithmetic functions.
Hey team! Please add your planning poker estimate with Zenhub @adelarja @ashneverdawn @b-yap @ebma @TorstenStueber
@ebma do you still think this is low priority? if yes should i move i icebox if it holds future relevance?
Yes, it only would have a higher priority once we decide to let a third party have an authorized account that is allowed to feed price info to our chain. Since it's a security issue we should fix it before this happens. But as long as it's only us feeding the price info, there is no problem.
