(Not So) Smart Pallets
This repository contains examples of common Substrate pallet vulnerabilities. Use Not So Smart Pallets to learn about Substrate vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.
Features
Each Not So Smart Pallet includes a standard set of information:
- Description of the vulnerability type
- Attack scenarios to exploit the vulnerability
- Recommendations to eliminate or mitigate the vulnerability
- A mock pallet that exhibits the flaw
- References to third-party resources with more information
Vulnerabilities
Not So Smart Pallet | Description |
---|---|
Arithmetic overflow | Integer overflow due to incorrect use of arithmetic operators |
Don't panic! | System panics create a potential DoS attack vector |
Weights and fees | Incorrect weight calculations can create a potential DoS attack vector |
Verify first | Verify first, write last |
Unsigned transaction validation | Insufficient validation of unsigned transactions |
Bad randomness | Unsafe sources of randomness in Substrate |
Bad origin | Incorrect use of call origin can lead to bypassing access controls |
Credits
These examples are developed and maintained by Trail of Bits.
If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.