Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Empiric Oracle>Informational findings>Publish entry does not validate caller address is not ,0
GeneralOverview
Findings
High (1)
Medium (2)
Low (2)
Informational (1)Entry does not validate caller
DiscussionAssert non-zero valueRoot and publisher key schemePause functionalityAccuracy of data returned
Audit ResultsResults
Category: Coding Mistakes

Publish entry does not validate caller address is not 0

Informational Severity
Informational Impact
N/A Likelihood

Description

When contracts in Starknet are directly invoked, the get_caller_address function can return 0. This is a relatively common error or default pattern in Starknet and Cairo, but it can cause security issues when this behavior is unexpected, like in the case of get_caller_address.

In the publish entry code of the oracle/library.cairo file, the caller address is checked against the publisher address. The publisher address is retrieved by calling into the publisher registry contract and fetching the address of the publisher with a given felt-converted string name. If the publisher specified by this string does not exist, the publisher registry will actually return 0 instead of throwing an error.

func Publisher_get_publisher_address{
    syscall_ptr : felt*, pedersen_ptr : HashBuiltin*, range_check_ptr
}(publisher : felt) -> (publisher_address : felt):
    let (publisher_address) = Publisher_publisher_address_storage.read(publisher)
    return (publisher_address)
end

This is because a read with a key that does not exist will return 0 values instead of throwing an error. Because no check is performed in the publisher registry that validates that non-zero values for publisher addresses will be returned, this allows the oracle code to check a 0 publisher address against a potentially 0 caller address, which can occur if the contract is invoked directly with --no_wallet.

As of Starknet 0.10.0 this will not be an issue, but it is recommended to validate that the publisher registry get publisher address method does not return 0 values and/or the oracle validates the caller is not 0.

Impact

If allowed, for example—a pre-0.10.0 Starknet environment would allow a caller to impersonate a publisher as long as the publisher does not exist in the publisher registry. In combination with a previous finding, this would allow an attacker to publish arbitrary entries even if they were not previously added to the registry.

Recommendations

Validate, in either the publisher registry, that the returned publisher address is non-zero or that the caller address is not zero.

Remediation

The issue was addressed in a later update.

Zellic © 2024Back to top ↑