Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Low] Usage of unsafe arithmetics in multiple pallets #31

Open
sebastianmontero opened this issue Jan 8, 2024 · 1 comment · Fixed by #42
Open

[Low] Usage of unsafe arithmetics in multiple pallets #31

sebastianmontero opened this issue Jan 8, 2024 · 1 comment · Fixed by #42
Assignees
@didiermis
Milestone
Hashed Network Se...

Comments

@sebastianmontero
Copy link
Contributor

[Low] Usage of unsafe arithmetics in multiple pallets

Summary

Unsafe arithmetic is being used in multiple pallets, which can lead to integer overflows or underflows and cause unexpected results.

Issue details

We found multiple usages of unsafe arithmetics that we could not confirm to be safe. Details for an example follow:

The function do_start_take_sell_order uses unsafe arithmetics in multiple places, e.g.:

pub fn do_start_take_sell_order(
    authority: OriginFor<T>,
    order_id: [u8; 32],
    tax_credit_amount: T::Balance,
) -> DispatchResult
where
    <T as pallet_uniques::Config>::ItemId: From<u32>,
{
// ...
    ensure!(
        Self::do_get_afloat_balance(who.clone()) >=
// --> Unsafe multiplication
            offer.price_per_credit * tax_credit_amount.into(),
        Error::<T>::NotEnoughAfloatBalanceAvailable
    );

// ...

// --> Unsafe multiplication
    let total_price: T::Balance = price_per_credit * tax_credit_amount;

Since price_per_credit is initially set to the price argument from the create_offer extrinsic parameter, an overflow could likely be triggered.

Additional findings are:

Risk

By triggering an integer overflow, a malicious actor can:

  1. Crash the nodes compiled in debug mode with overflow checks enabled
  2. On nodes which have overflow checks disabled, unexpected behaviors and logic inconsistencies

Mitigation

Implement proper integer overflow handling by checking call arguments and using safe arithmetic functions (e.g.: saturating_mul, checked_mul).

Hashed is using unsafe arithmetic operations in multiple locations in the source code. We strongly suggest to review the usage of these functions and to migrate to safe arithmetic functions instead.
@sebastianmontero
Copy link
Contributor Author

We should look for all arithmetic operations and make sure that the safe (saturating or checked) versions are being used.

@tlacloc tlacloc assigned didiermis and unassigned tlacloc Mar 13, 2024
@didiermis didiermis mentioned this issue Mar 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@didiermis didiermis

Labels
None yet
Projects
None yet
Milestone
Hashed Network Security Fixes
Development

Successfully merging a pull request may close this issue.

Fix/unsafe arithmetics hashed-io/hashed-pallets
3 participants
@sebastianmontero @tlacloc @didiermis