Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

Fix PoV attack vector for contracts #10301

Closed
athei opened this issue Nov 17, 2021 · 1 comment
Closed

Fix PoV attack vector for contracts #10301

athei opened this issue Nov 17, 2021 · 1 comment
Assignees
Labels
I2-security The client fails to follow expected, security-sensitive, behaviour.

Comments

@athei
Copy link
Member

athei commented Nov 17, 2021

As of right now PoV sites are not reflected as a resource in our FRAME based run times. For fixed functionality pallets this isn't a show stopper because they can be written in a way that users cannot exploit this (BoundedVec etc.).

However every chain that has the contracts pallet might susceptible to this easy exploit: Craft a transaction that calls many contracts that are big in code size but small in weight (they return immediately). This will choke the throughput without causing an appropriate amount of fees.

The current progress of a proper integration into FRAME is tracked in paritytech/polkadot-sdk#398. This might be too late for us as we cannot launch without it. We have multiple possibilities to protect us from that exploit in the meantime:

@athei
Copy link
Member Author

athei commented May 9, 2022

This issue is resolved by #11372 for now. The final solution will be delivered through paritytech/polkadot-sdk#398.

@athei athei closed this as completed May 9, 2022
Repository owner moved this from Todo to Done in Production Smart Contracts Parachain May 9, 2022
@athei athei moved this to Done in Smart Contracts Jul 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
I2-security The client fails to follow expected, security-sensitive, behaviour.
Projects
Status: No status
Development

No branches or pull requests

1 participant