This repository contains examples of common Substrate pallet vulnerabilities. Use Not So Smart Pallets to learn about Substrate vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.
Each Not So Smart Pallet includes a standard set of information:
- Description of the vulnerability type
- Attack scenarios to exploit the vulnerability
- Recommendations to eliminate or mitigate the vulnerability
- A mock pallet that exhibits the flaw
- References to third-party resources with more information
|Not So Smart Pallet||Description|
|Arithmetic overflow||Integer overflow due to incorrect use of arithmetic operators|
|Don't panic!||System panics create a potential DoS attack vector|
|Weights and fees||Incorrect weight calculations can create a potential DoS attack vector|
|Verify first||Verify first, write last|
|Unsigned transaction validation||Insufficient validation of unsigned transactions|
|Bad randomness||Unsafe sources of randomness in Substrate|
|Bad origin||Incorrect use of call origin can lead to bypassing access controls|
These examples are developed and maintained by Trail of Bits.