Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth: Account contract errors impersonate the contract being called #771

Closed
leighmcculloch opened this issue Apr 21, 2023 · 2 comments
Closed

Auth: Account contract errors impersonate the contract being called #771

leighmcculloch opened this issue Apr 21, 2023 · 2 comments
Assignees
@dmkozh
Labels
bug Something isn't working Security Security fixes or features

Comments

@leighmcculloch
Copy link
Member

leighmcculloch commented Apr 21, 2023
edited
Loading

While playing around with enforced auth in the SDK I've noticed that when triggering error conditions in built-in contracts, the debug logs indicate a "contract error" has occurred, which is confusing because it isn't clear what contract has generated the error.

For example, in my contract I've called require_auth on a Stellar account, and when I triggered an error, I'm seeing these debug events:

HostError
Value: Status(ContractError(5))

Debug events (newest first):
   0: "Debug escalating error '' to panic"
   1: "Debug contract call invocation resulted in error Status(ContractError(5))"
   2: "Debug caught panic from contract function 'Symbol(add)', propagating escalated error 'Status(ContractError(5))'"
   3: "Debug escalating error '' to panic"
   4: "Debug incompatible signature format"

It seems like this is happening, because the Value: Status(ContractError(5)) indicates the error has made it up to the top-level, even though it was a sub-invocation that generated that contract error.

mermaid-diagram-2023-04-21-170144

Errors from one contract shouldn't be propagated, they should become generic traps in the next contract up the stack. This is especially true of ContractErrors. When we propogate contract errors we risk a user/developer interpreting the value as having meaning defined by a contract that didn't generate the error.

In this case 5 means AuthenticationError in the context of the account contract:

rs-soroban-env/soroban-env-host/src/native_contract/contract_error.rs

Lines 8 to 14 in 352487c

pub enum ContractError {
InternalError = 1,
OperationNotSupportedError = 2,
AlreadyInitializedError = 3,
UnauthorizedError = 4,
AuthenticationError = 5,

But in the calling contract 5 might mean something else.

cc @graydon @dmkozh @sisuresh
@leighmcculloch leighmcculloch added the bug Something isn't working label Apr 21, 2023
@leighmcculloch leighmcculloch changed the title Debug events and builtin contract errors are misleading Builtin contract errors are misleading Apr 22, 2023
@leighmcculloch leighmcculloch mentioned this issue Apr 22, 2023
Closed
@leighmcculloch
Copy link
Member Author

I separated the issue of ambiguous debug events into a separate issue: #772.

@leighmcculloch leighmcculloch changed the title Builtin contract errors are misleading Account contract errors impersonate the contract being called Apr 26, 2023
@leighmcculloch
Copy link
Member Author

I've updated the issue title to Account contract errors impersonate the contract being called, because I'm seeing the same behavior when using a custom account contract, and the primary issue is the issue of impersonation. It is possible for someone using a custom account contract to impersonate a contract being called and essentially MITM between two contracts.

@leighmcculloch leighmcculloch changed the title Account contract errors impersonate the contract being called Auth: Account contract errors impersonate the contract being called May 1, 2023
@dmkozh dmkozh added the Security Security fixes or features label May 15, 2023
@dmkozh dmkozh self-assigned this May 30, 2023
@dmkozh dmkozh mentioned this issue Jun 5, 2023
Merged
@dmkozh dmkozh closed this as completed Jun 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dmkozh dmkozh

Labels
bug Something isn't working Security Security fixes or features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@leighmcculloch @dmkozh