GHSA-5V93-9MQW-P9MH
Vulnerability from github – Published: 2025-02-14 17:26 – Updated: 2025-02-14 17:26
VLAI
Summary
Uncaught Panic in ORML Rewards Pallet
Details
Summary
A vulnerability in the add_share function of the Rewards pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the u128 range.
Affected Components
- ORML Rewards pallet (
rewards/src/lib.rs) - Any Substrate-based chain using ORML Rewards with
add_shareaccepting unvalidated largeu128inputs
Technical Details
add_shareperforms arithmetic on user-supplied values (add_amount) of typeT::Share(mapped tou128in Acala).- If
add_amountis large enough (e.g.,i128::MAX), the intermediate result may overflow and panic on the cast tou128. - Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow.
Impact
A malicious user submitting a specially crafted extrinsic can cause a panic in the runtime: - Denial of Service by crashing the node process. - Potential for invalid blocks produced by validators.
Likelihood
This issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed u128 bounds.
Remediation
- This issue is fixed in https://github.com/open-web3-stack/open-runtime-module-library/pull/1016
Backport
The patch have been backported to following release branches: - polkadot-stable2407 - polkadot-stable2409
A 1.0.1 patch release is made with this fix.
Severity
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "orml-rewards"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-248"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-14T17:26:08Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nA vulnerability in the `add_share` function of the **Rewards** pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the `u128` range.\n\n## Affected Components\n- **ORML Rewards** pallet (`rewards/src/lib.rs`)\n- Any Substrate-based chain using ORML Rewards with `add_share` accepting unvalidated large `u128` inputs\n\n## Technical Details\n- `add_share` performs arithmetic on user-supplied values (`add_amount`) of type `T::Share` (mapped to `u128` in Acala).\n- If `add_amount` is large enough (e.g., `i128::MAX`), the intermediate result may overflow and panic on the cast to `u128`.\n- Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow.\n\n## Impact\nA malicious user submitting a specially crafted extrinsic can cause a panic in the runtime:\n- **Denial of Service** by crashing the node process.\n- **Potential for invalid blocks** produced by validators.\n\n## Likelihood\nThis issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed `u128` bounds.\n\n## Remediation\n- This issue is fixed in https://github.com/open-web3-stack/open-runtime-module-library/pull/1016\n\n## Backport\n\nThe patch have been backported to following release branches:\n- polkadot-stable2407\n- polkadot-stable2409\n\nA 1.0.1 patch release is made with this fix.",
"id": "GHSA-5v93-9mqw-p9mh",
"modified": "2025-02-14T17:26:08Z",
"published": "2025-02-14T17:26:08Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/open-web3-stack/open-runtime-module-library/security/advisories/GHSA-5v93-9mqw-p9mh"
},
{
"type": "WEB",
"url": "https://github.com/open-web3-stack/open-runtime-module-library/pull/1016"
},
{
"type": "WEB",
"url": "https://github.com/open-web3-stack/open-runtime-module-library/commit/6720fcd92f44e5f204741b04fdef3b67b0fcf6bc"
},
{
"type": "PACKAGE",
"url": "https://github.com/open-web3-stack/open-runtime-module-library"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Uncaught Panic in ORML Rewards Pallet"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…