wormhole icon indicating copy to clipboard operation
wormhole copied to clipboard

Published 20 hours ago verified publisher icon wormhole-foundation

TOB-WORM-4: Panicking on invalid inputs in Solana contracts

Open tbjump opened this issue 3 years ago • 16 comments
trafficstars

Severity: Informational

Description

In several places within the solana smart contracts, the code panics when an arithmetic overflow/underflow occurs. Panics should be reserved for programer errors, e.g., assertion violations. Panicking on user errors dilutes panics’ utility.

Exploit Scenario

Alice, a Wormhole developer, observes a panic in the Wormhole codebase. Alice ignores the panic believing it is caused by user error, but it is actually caused by a bug she introduced.

Recommendations

Short term, reserve panics for programmer errors. Return Result::Err for user errors. Adopting such a policy will help to distinguish the two types of errors when they occur.

Long term, consider denying the following Clippy lints: ● clippy::expect_used ● clippy::unwrap_used ● clippy::panic Doing so will not prevent all panics, but it will prevent many of them.

tbjump avatar Sep 06 '22 19:09 tbjump

Are there repro steps? Interested to take this on.

kii-dot avatar Sep 23 '22 05:09 kii-dot

Hi, for more details please see the audit report from ToB, item TOB-WORM-4 https://storage.googleapis.com/wormhole-audits/Wormhole_Audit_Report_TrailOfBits_2022-09.pdf

tbjump avatar Sep 25 '22 04:09 tbjump

When I'm building the solana package, I'm getting

error: environment variable `BRIDGE_ADDRESS` not defined
   --> bridge/program/src/accounts/posted_vaa.rs:102:46
    |
102 |         AccountOwner::Other(Pubkey::from_str(env!("BRIDGE_ADDRESS")).unwrap())
    |                                              ^^^^^^^^^^^^^^^^^^^^^^
    |
    = note: this error originates in the macro `env` (in Nightly builds, run with -Z macro-backtrace for more info)

error: environment variable `EMITTER_ADDRESS` not defined
  --> bridge/program/src/api/governance.rs:47:28
   |
47 |     let expected_emitter = std::env!("EMITTER_ADDRESS");

Are there dummy address that I can use?

kii-dot avatar Oct 02 '22 06:10 kii-dot

#1672

kii-dot avatar Oct 02 '22 07:10 kii-dot

I believe this can be closed now since #1672 has been merged

kii-dot avatar Oct 30 '22 07:10 kii-dot

I think some of the cases in the cosmwasm token bridge may have been missed due to changes that occurred after you started your PR. Leaving this open until someone confirms. Feel free to take a look as well @kii-dot 🙂

evan-gray avatar Oct 30 '22 11:10 evan-gray

sounds good. I'll work on that. If there are more rust work do tag me :) @evan-gray

kii-dot avatar Oct 30 '22 19:10 kii-dot

Hey @kii-dot @evan-gray, are you still working on it?

For this issue to be considered fixed, the clippy lints should be enabled in CI. Anyone want to take a stab at that?

tbjump avatar Nov 29 '22 18:11 tbjump

Since I've been working on it, let me take it up.

kii-dot avatar Nov 30 '22 06:11 kii-dot

hey @tbjump @evan-gray Due to my schedule, I wont be able to attack this for the current time being. :(

kii-dot avatar Dec 18 '22 20:12 kii-dot

@aadam-10 is this open to take up?

ameya-deshmukh avatar Apr 28 '23 14:04 ameya-deshmukh

hi @ameya-deshmukh, please feel free to take a shot at this.

aadam-10 avatar May 02 '23 14:05 aadam-10

hi @ameya-deshmukh, do you have any updates on this?

aadam-10 avatar May 25 '23 14:05 aadam-10

Hey @aadam-10! Give me till the weekend to open a PR for this?

ameya-deshmukh avatar May 26 '23 05:05 ameya-deshmukh

hi @ameya-deshmukh, wondering if you'd had a chance to look into this. it's not urgent or anything, but someone else may want to pick it up.

aadam-10 avatar Jun 20 '23 11:06 aadam-10

hi @aadam-10 yes. I'm actually working on a related project being built on Wormhole and this is actually one of the few issues which seemed relevant to be solved. I'll be opening a PR soon. Cheers

ameya-deshmukh avatar Jun 21 '23 04:06 ameya-deshmukh