Assessment reportsPublic findings
Back to Zellic site
Assessment reports>Radix>Threat Model>Flow: Linking of guest code
GeneralOverview
Findings
High (1)
Medium (2)
Low (2)
Informational (1)
DiscussionUnique Characteristics of Radix
Threat ModelWhat are threat models?1-native-blueprints
2-runtimeFlow: Linking of guest codeCostingObject operationsKey-value store operationsActor operationsUtility functions
3-transactions4-kernel
Audit ResultsAssessment Results

Flow: Linking of guest code

The processing of guest imports starts before the virtual machine is instantiated at the validation and instrumentation stage, implemented within ScryptoV1WasmValidator::validate.

impl ScryptoV1WasmValidator { pub fn validate<'a, I: Iterator>( &self, code: &[u8], blueprints: I, ) -> Result<(Vec, Vec), PrepareError> { WasmModule::init(code)? .enforce_no_start_function()? .enforce_import_constraints(self.version)? // <--- Here .enforce_export_names()? .enforce_memory_limit_and_inject_max(self.max_memory_size_in_pages)? .enforce_table_limit(self.max_initial_table_size)? .enforce_br_table_limit(self.max_number_of_br_table_targets)? .enforce_function_limit( self.max_number_of_functions, self.max_number_of_function_params, self.max_number_of_function_locals, )? .enforce_global_limit(self.max_number_of_globals)? .enforce_export_constraints(blueprints)? .inject_instruction_metering(&self.instrumenter_config)? .inject_stack_metering(self.instrumenter_config.max_stack_size())? .ensure_instantiatable()? .ensure_compilable()? .to_bytes() } }

Once the module itself is statically validated, instrumented, and rewritten, the next step of validation is handed over to the specific VM implementation where the functions are instantiated, currently WasmerModule::instantiate and WasmiModule::host_funcs_set.

The linkage process is security sensitive as if the guest module is able to corrupt its own metadata (e.g., WASM spec is not followed and the guest code can export its own imports allowing the module to overwrite its own imports), it would enable DOS attacks. This is due to the fact that costing is handled via a callout to the env.gas function from the guest code, inserted at the time of instrumentation, which if corrupted, would lead to the execution-costing mechanism being bypassed.

Function: WasmModule::enforce_import_constraints

This is the method that validates the imports of the guest code,

pub fn enforce_import_constraints(&self, version: ScryptoVmVersion) -> Result<&Self, PrepareError>

which enforces the following constraints: 1) the imported function is valid for the given module and the version of the runtime it is linking against and 2) the type signature of the target function matches the imported function.

It achieves this by iterating over the imports of the module and switching on the import name:

// Only allow `env::radix_engine` import for entry in self .module .import_section() .map_err(|err| PrepareError::ModuleInfoError(err.to_string()))? .unwrap_or(vec![]) { if entry.module == MODULE_ENV_NAME { match entry.name { BUFFER_CONSUME_FUNCTION_NAME => { if let TypeRef::Func(type_index) = entry.ty { if Self::function_type_matches( &self.module, type_index, vec![ValType::I32, ValType::I32], vec![], ) { continue; } return Err(PrepareError::InvalidImport( InvalidImport::InvalidFunctionType(entry.name.to_string()), )); } } ... } } }

Function: WasmiModule::host_funcs_set

This method finalizes the instantiation of the guest module by setting up the host functions that the guest module can call. It does so by instantiating each host function and then adding it to the linker. The WASMI linker then provides the appropriate bindings to invoke.

pub fn host_funcs_set(module: &Module, store: &mut Store) -> Result
macro_rules! linker_define { ($linker: expr, $name: expr, $var: expr) => { $linker .define(MODULE_ENV_NAME, $name, $var) .expect(stringify!("Failed to define new linker item {}", $name)); }; } // ... let host_consume_buffer = Func::wrap( store.as_context_mut(), |caller: Caller<'_, HostState>, buffer_id: BufferId, destination_ptr: u32| -> Result<(), Trap> { consume_buffer(caller, buffer_id, destination_ptr).map_err(|e| e.into()) }, ); // ... let mut linker = >::new(); linker_define!(linker, BUFFER_CONSUME_FUNCTION_NAME, host_consume_buffer);

Switch statements

The switch statements in the enforce_import_constraints and host_funcs_set methods are a potential source of error as they are rather large and maintained by hand.

It is worth noting that a bug within these statements would most likely be caught by the comprehensive integration tests, but it remains a potential area for improvement as a proc macro could be used at the function-definition level to generate both the import validation and the runtime-specific bindings, eliminating the need for maintenance for both switch statements.

Zellic © 2025Back to top ↑