GHSA-5V93-9MQW-P9MH

Vulnerability from github – Published: 2025-02-14 17:26 – Updated: 2025-02-14 17:26
VLAI
Summary
Uncaught Panic in ORML Rewards Pallet
Details

Summary

A vulnerability in the add_share function of the Rewards pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the u128 range.

Affected Components

  • ORML Rewards pallet (rewards/src/lib.rs)
  • Any Substrate-based chain using ORML Rewards with add_share accepting unvalidated large u128 inputs

Technical Details

  • add_share performs arithmetic on user-supplied values (add_amount) of type T::Share (mapped to u128 in Acala).
  • If add_amount is large enough (e.g., i128::MAX), the intermediate result may overflow and panic on the cast to u128.
  • Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow.

Impact

A malicious user submitting a specially crafted extrinsic can cause a panic in the runtime: - Denial of Service by crashing the node process. - Potential for invalid blocks produced by validators.

Likelihood

This issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed u128 bounds.

Remediation

  • This issue is fixed in https://github.com/open-web3-stack/open-runtime-module-library/pull/1016

Backport

The patch have been backported to following release branches: - polkadot-stable2407 - polkadot-stable2409

A 1.0.1 patch release is made with this fix.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "orml-rewards"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-248"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-14T17:26:08Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\nA vulnerability in the `add_share` function of the **Rewards** pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the `u128` range.\n\n## Affected Components\n- **ORML Rewards** pallet (`rewards/src/lib.rs`)\n- Any Substrate-based chain using ORML Rewards with `add_share` accepting unvalidated large `u128` inputs\n\n## Technical Details\n- `add_share` performs arithmetic on user-supplied values (`add_amount`) of type `T::Share` (mapped to `u128` in Acala).\n- If `add_amount` is large enough (e.g., `i128::MAX`), the intermediate result may overflow and panic on the cast to `u128`.\n- Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow.\n\n## Impact\nA malicious user submitting a specially crafted extrinsic can cause a panic in the runtime:\n- **Denial of Service** by crashing the node process.\n- **Potential for invalid blocks** produced by validators.\n\n## Likelihood\nThis issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed `u128` bounds.\n\n## Remediation\n- This issue is fixed in https://github.com/open-web3-stack/open-runtime-module-library/pull/1016\n\n## Backport\n\nThe patch have been backported to following release branches:\n- polkadot-stable2407\n- polkadot-stable2409\n\nA 1.0.1 patch release is made with this fix.",
  "id": "GHSA-5v93-9mqw-p9mh",
  "modified": "2025-02-14T17:26:08Z",
  "published": "2025-02-14T17:26:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-web3-stack/open-runtime-module-library/security/advisories/GHSA-5v93-9mqw-p9mh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-web3-stack/open-runtime-module-library/pull/1016"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-web3-stack/open-runtime-module-library/commit/6720fcd92f44e5f204741b04fdef3b67b0fcf6bc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-web3-stack/open-runtime-module-library"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Uncaught Panic in ORML Rewards Pallet"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…