Summary

one of the packages of lib.rs is using "curve25519-dalek"
version = "3.2.1" which makes our contract vulnerable to timing side-channel attack vulnerability in version 3.2.1 of the curve25519-dalek cryptographic library

Vulnerability Details

A severe timing side-channel attack vulnerability has been identified in version 3.2.1 of the curve25519-dalek cryptographic library, which is used by the Solana program. This vulnerability manifests in inconsistent execution times during scalar subtraction operations (Scalar29::sub and Scalar52::sub), creating an opportunity for attackers to exploit timing differences and infer sensitive cryptographic data, such as private keys. The curve25519-dalek library is a transitive dependency of the Anchor framework and Solana program, which are integral to lib.rs. As a result, the contract is indirectly exposed to this vulnerability, potentially compromising the security of the contract, users’ private data, and funds.

The vulnerability is located in the curve25519-dalek library, which is responsible for handling elliptic curve cryptography (ECC) for key generation, signing, and other cryptographic operations within the Solana blockchain ecosystem. Specifically, the issue arises from the non-constant time execution of scalar subtraction operations in the Scalar29::sub and Scalar52::sub functions. The execution time of these operations varies based on the values of the operands, which introduces a timing side-channel risk.

Timing side-channel attacks allow attackers to gain insights into sensitive data (such as private keys) by measuring the time it takes to perform cryptographic operations. Even a small variance in execution time can leak crucial bits of information, which attackers can use to reconstruct private keys or forge signatures.

The Issue in Detail:

• Scalar Subtraction Vulnerability: The issue lies in how the library handles scalar subtraction in cryptographic computations. The time taken to subtract values changes based on the actual values being subtracted.

• Timing Differences: These timing differences allow attackers to potentially gather information about private keys by observing how the time of execution varies with different input values.

• Indirect Exposure: it is affected by this vulnerability due to the way Solana (via Anchor) uses curve25519-dalek for cryptographic operations.

In short, because of this vulnerability, cryptographic operations involving key management and signatures in your contract could be subject to a side-channel attack, jeopardizing the confidentiality and integrity of users’ interactions with the contract.

Proof of Concept (PoC)

To demonstrate how an attacker might exploit this vulnerability, consider the following scenario where the attacker could use the timing difference to infer private key information:

1. Setup: An attacker is observing cryptographic operations on a system that is using curve25519-dalek 3.2.1. Specifically, they are monitoring the time it takes for the scalar subtraction operations in Scalar29::sub and Scalar52::sub to execute.

2. Target: The attacker targets a smart contract like lib.rs, which indirectly relies on curve25519-dalek for cryptographic operations. The attacker has access to the contract’s public key and can send transactions that involve signing operations, e.g., setting up funds, making contributions, or initiating withdrawals.

3. Attack Execution: The attacker sends a series of transactions that involve cryptographic signing or key generation. By measuring the execution time of these transactions, they can gather data on how long it takes for scalar operations to complete.

4. Timing Analysis: Because the subtraction operation times vary with the input values, the attacker can begin to detect patterns in the execution time based on the operands involved. The attacker can gradually gather information about how specific inputs affect the execution time of the cryptographic operations. This allows the attacker to narrow down potential private key values through repeated measurements and analysis of the timing data.

5. Key Recovery: After gathering enough timing data, the attacker could piece together information about the private key (or other sensitive data) through timing analysis, essentially reconstructing the private key by exploiting these timing differences.

Impact

Private Key Compromise:

• An attacker could leak private keys by exploiting the timing differences in the scalar subtraction operations. With a compromised private key, an attacker could gain unauthorized control over any participant’s wallet or the fund creator’s account, enabling them to perform malicious activities.

• Impersonation and Fraud:

  • By deducing a user’s private key, an attacker could impersonate legitimate contributors or fund creators. This would allow them to forge signatures, manipulate fund contributions, withdraw funds, or alter contract parameters without permission.

• Unauthorized Fund Access:

  • The attacker could steal funds from the contract by gaining access to the private keys associated with contributions or the fund creator’s wallet. Once they have these keys, they can bypass the intended security checks, withdraw funds, or alter the contract’s state in unauthorized ways.

Tools Used

RustSec Advisory Database: This tool provided the detailed advisory on the vulnerability (RUSTSEC-2024-0344), which identifies the issue in curve25519-dalek version 3.2.1 .

Recommendations

Upgrade curve25519-dalek to Version >= 4.1.3:

• The vulnerability has been fixed in version 4.1.3 of curve25519-dalek. To mitigate the risk, ensure your project uses this safe version. Update the version of curve25519-dalek

Update Solana and Anchor Dependencies:

• Since curve25519-dalek is a transitive dependency of Solana and Anchor, update the versions of Solana and Anchor to ensure they incorporate the fixed version of curve25519-dalek. Always ensure you’re using the latest stable versions of these frameworks to benefit from security patches.