Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cargo contract verify does not re-hash wasm #2

Closed
R9295 opened this issue Oct 15, 2024 · 3 comments
Closed

cargo contract verify does not re-hash wasm #2

R9295 opened this issue Oct 15, 2024 · 3 comments
Assignees
@cmichi
Labels
high High severity issue

Comments

@R9295
Copy link
Collaborator

R9295 commented Oct 15, 2024

Summary

An attacker can deploy a malicious contract and have cargo contract verify incorrectly approve the malicious contract because the wasm code is not re-hashed.

Issue details

A file.contract that includes the correct source.hash field for a project but the incorrect source.wasm field will be validated by cargo contract verify --contract file.contract, even though it does not match the source code's output.

Steps to reproduce

An attacker could abuse this issue in the following way:

  1. Write a contract.
  2. Build the contract. This build will now be referred to as legit.contract.
  3. Modify the contract to insert a backdoor or modify the logic.
  4. Build the contract again. This build will now be referred to as malicious.contract.

At this point, the source.hash and source.wasm will be different for both files. The rest of the fields (aka the metadata) might be different, or not, but it does not matter in this issue.

  1. Copy the source.hash field from legit.contract and paste it in malicious.contract's source.hash field.
  2. Deploy the malicious.contract on a contract-enabled blockchain. This will work, as the hash field is not verified (and arguably shouldn't be) by the front-end and the chain.
  3. Publish the source code (without the backdoor) along with malicious.contract as the build artifact (with a different name, otherwise they are a clumsy hacker).

An end-user's attempt at verifying this build artifact will be cargo contract verify --contract malicious.contract, which will approve malicious.contract because the source.hash matches the built wasm's hash.

Mitigation suggestion

cargo contract verify should re-hash the source.wasm field of a file.contract and verify that it matches the build hash and the source.hash field.
@R9295 R9295 added the high High severity issue label Oct 15, 2024
@cmichi cmichi self-assigned this Nov 14, 2024
@cmichi
Copy link
Collaborator

cmichi commented Nov 15, 2024

I've created a PR to fix this issue here: use-ink/cargo-contract#1820.

@louismerlin
Copy link
Collaborator

The fix looks good, thank you!

@cmichi
Copy link
Collaborator

cmichi commented Nov 22, 2024

I'm closing the issue as the fix has been released this week as part of cargo-contract v4.1.3 https://github.com/use-ink/cargo-contract/releases/tag/v4.1.3.

@cmichi cmichi closed this as completed Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cmichi cmichi

Labels
high High severity issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cmichi @louismerlin @R9295