Integer overflow in oracle pallet in spacewalk

[prayagd]

Context

Issue found by SRL labs in the semi-automated audit.

Summary

An integer overflow in the oracle pallet can be abused by a malicious oracle.

Issue details

There is an integer overflow inside the oracle::begin_block function which is called upon block initialization. A malicious oracle can trigger this overflow by updating the coin info with high supply and price values via set_updated_coin_infos call inside Pendulum's dia-oracle pallet.

Here is an example call parameters that will trigger the overflow in the next block initialization:

RuntimeCall::DiaOracleModule(Call::set_updated_coin_infos {
    coin_infos: [(
        ([0], [0]),
        CoinInfo {
            symbol: [],
            name: [0],
            blockchain: [],
            supply: 45172881575663848363994640109535494224,
            last_update_timestamp: 60000533389444330,
            price: 338974337383797358236404514952583315520,
        })]
});

Risk

By triggering this integer overflow, a malicious oracle can:

Crash the nodes compiled in debug mode with overflow checks enabled
On nodes which have overflow checks disabled, unexpected behaviors and logic inconsistencies
We assigned a severity of low to this issue since it can only be triggered by permissioned oracles.

Mitigation

Implement proper integer overflow handling by checking call arguments and using safe arithmetic functions.

[prayagd]

Hey team! Please add your planning poker estimate with Zenhub @adelarja @ashneverdawn @b-yap @ebma @TorstenStueber

[prayagd]

@ebma do you still think this is low priority? if yes should i move i icebox if it holds future relevance?

[ebma]

Yes, it only would have a higher priority once we decide to let a third party have an authorized account that is allowed to feed price info to our chain. Since it's a security issue we should fix it before this happens. But as long as it's only us feeding the price info, there is no problem.