Submission Details
Severity:
Insufficient Access Control on Random Generation
Root + Impact
Description
The get_random_slice function can be called by anyone since it's marked as entry, but it should only be called internally during registration. This allows external actors to manipulate user allocations.
entry fun get_random_slice(user_addr: address) acquires ModuleData, State {
// @> Function is public entry - can be called by anyone
let state = borrow_global_mut<State>(get_resource_address());
// ... randomness logic
}
Risk
Likelihood:
Any external user can call this function directly
Malicious actors can override existing user allocations
Front-running attacks during registration process
Impact:
Users' allocated amounts can be changed without authorization
Potential for denial of service by consuming computational resources
Breaking of intended registration flow and business logic
Proof of Concept
// Attacker can call get_random_slice directly:
// 1. User gets registered with amount X
// 2. Attacker calls get_random_slice(user_address) to change it to amount Y
// 3. User's allocation is now different than intended
Recommended Mitigation
- #[randomness]
- entry fun get_random_slice(user_addr: address) acquires ModuleData, State {
+ #[randomness]
+ fun get_random_slice(user_addr: address) acquires ModuleData, State {
Updates
Appeal created
bube 10 days ago
Submission Judgement Published Assigned finding tags:
Anyone can call `get_random_slice` function
Rewards breakdown
nSLOC
125This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.