N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5v93-9mqw-p9mh

EPSS Score

CWE

CWE-248

Published

2/14/2025

Updated

2/14/2025

KEV Status

Technology

Rust

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5v93-9mqw-p9mh

GHSA-5v93-9mqw-p9mh: Uncaught Panic in ORML Rewards Pallet

Summary

A vulnerability in the add_share function of the Rewards pallet (part of the ORML repository) can lead to an uncaught Rust panic when handling user-provided input exceeding the u128 range.

Affected Components

ORML Rewards pallet (rewards/src/lib.rs)
Any Substrate-based chain using ORML Rewards with add_share accepting unvalidated large u128 inputs

Technical Details

add_share performs arithmetic on user-supplied values (add_amount) of type T::Share (mapped to u128 in Acala).
If add_amount is large enough (e.g., i128::MAX), the intermediate result may overflow and panic on the cast to u128.
Validation occurs only after arithmetic, enabling a crafted input to trigger an overflow.

Impact

A malicious user submitting a specially crafted extrinsic can cause a panic in the runtime:

Denial of Service by crashing the node process.
Potential for invalid blocks produced by validators.

Likelihood

This issue is exploitable in production if there exists at least one rewards pool where reward tokens exceed twice the collateral tokens, allowing sufficiently large multiplication to exceed u128 bounds.

Remediation

This issue is fixed in https://github.com/open-web3-stack/open-runtime-module-library/pull/1016

Backport

The patch have been backported to following release branches:

polkadot-stable2407
polkadot-stable2409

A 1.0.1 patch release is made with this fix.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5v93-9mqw-p9mh

EPSS Score

CWE

CWE-248

Published

2/14/2025

Updated

2/14/2025

KEV Status

Technology

Rust

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
orml-rewards	rust	< 1.2.1	1.2.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies add_share as the entry point. The commit diff shows critical changes in lib.rs where unsafe .as_u128() casts were replaced with .saturated_into::<u128>() to handle overflows. These operations occur in reward calculation logic that processes user-controlled add_amount values. The patch confirms the vulnerable pattern was present in arithmetic operations preceding validation checks, making this function the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry * vuln*r**ility in t** `***_s**r*` *un*tion o* t** **R*w*r*s** p*ll*t (p*rt o* t** ORML r*pository) **n l*** to *n un**u**t Rust p*ni* w**n **n*lin* us*r-provi*** input *x****in* t** `u***` r*n**. ## *****t** *ompon*nts - **ORML R*w*r*s**

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `***_s**r*` *s t** *ntry point. T** *ommit *i** s*ows *riti**l ***n**s in `li*.rs` w**r* uns*** `.*s_u***()` **sts w*r* r*pl**** wit* `.s*tur*t**_into::<u***>()` to **n*l* ov*r*lows. T**s* op*r*tion

N/A

Basic Information

Concerned about an active attack path?

GHSA-5v93-9mqw-p9mh: Uncaught Panic in ORML Rewards Pallet

Summary

Affected Components

Technical Details

Impact

Likelihood

Remediation

Backport

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI