Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-5v93-9mqw-p9mh: Uncaught Panic in ORML Rewards Pallet

Summary

A vulnerability in the add_share function of the Rewards pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the u128 range.

Affected Components

  • ORML Rewards pallet (rewards/src/lib.rs)
  • Any Substrate-based chain using ORML Rewards with add_share accepting unvalidated large u128 inputs

Technical Details

  • add_share performs arithmetic on user-supplied values (add_amount) of type T::Share (mapped to u128 in Acala).
  • If add_amount is large enough (e.g., i128::MAX), the intermediate result may overflow and panic on the cast to u128.
  • Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow.

Impact

A malicious user submitting a specially crafted extrinsic can cause a panic in the runtime:

  • Denial of Service by crashing the node process.
  • Potential for invalid blocks produced by validators.

Likelihood

This issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed u128 bounds.

Remediation

  • This issue is fixed in https://github.com/open-web3-stack/open-runtime-module-library/pull/1016

Backport

The patch have been backported to following release branches:

  • polkadot-stable2407
  • polkadot-stable2409

A 1.0.1 patch release is made with this fix.

ghsa
Open in Source
#vulnerability#web#dos#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-5v93-9mqw-p9mh

Uncaught Panic in ORML Rewards Pallet

Package

cargo orml-rewards (Rust)

Affected versions

< 1.2.1

Summary

A vulnerability in the add_share function of the Rewards pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the u128 range.

Affected Components

  • ORML Rewards pallet (rewards/src/lib.rs)
  • Any Substrate-based chain using ORML Rewards with add_share accepting unvalidated large u128 inputs

Technical Details

  • add_share performs arithmetic on user-supplied values (add_amount) of type T::Share (mapped to u128 in Acala).
  • If add_amount is large enough (e.g., i128::MAX), the intermediate result may overflow and panic on the cast to u128.
  • Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow.

Impact

A malicious user submitting a specially crafted extrinsic can cause a panic in the runtime:

  • Denial of Service by crashing the node process.
  • Potential for invalid blocks produced by validators.

Likelihood

This issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed u128 bounds.

Remediation

  • This issue is fixed in open-web3-stack/open-runtime-module-library#1016

Backport

The patch have been backported to following release branches:

  • polkadot-stable2407
  • polkadot-stable2409

A 1.0.1 patch release is made with this fix.

References

  • GHSA-5v93-9mqw-p9mh
  • open-web3-stack/open-runtime-module-library#1016
  • open-web3-stack/open-runtime-module-library@6720fcd

Published to the GitHub Advisory Database

Feb 14, 2025

Last updated

Feb 14, 2025

ghsa: Latest News

GHSA-qfm8-78qf-p75j: The Front End User Registration extension for TYPO3 (sr_feuser_register) Remote Code Execution
ghsa