This repository contains examples of common Substrate pallet vulnerabilities. Use Not So Smart Pallets to learn about Substrate vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.
Each Not So Smart Pallet includes a standard set of information:
- Description of the vulnerability type
- Attack scenarios to exploit the vulnerability
- Recommendations to eliminate or mitigate the vulnerability
- A mock pallet that exhibits the flaw
- References to third-party resources with more information
| Not So Smart Pallet | Description |
|---|---|
| Arithmetic overflow | Integer overflow due to incorrect use of arithmetic operators |
| Don't panic! | System panics create a potential DoS attack vector |
| Weights and fees | Incorrect weight calculations can create a potential DoS attack vector |
| Verify first | Verify first, write last |
| Unsigned transaction validation | Insufficient validation of unsigned transactions |
| Bad randomness | Unsafe sources of randomness in Substrate |
| Bad origin | Incorrect use of call origin can lead to bypassing access controls |
These examples are developed and maintained by Trail of Bits.
If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.