FOLLOW-UP ON RT2602 AND RELATED BUG
On November 22, 2023, a Moonbeam ecosystem team reported a critical bug through private channels impacting runtime 2600.
The issue was promptly investigated by members of the core development team who confirmed the existence of the bug and a potential exploit. Further investigation found that the bug was present in previous runtimes as well.
As described above, the OpenGov Technical Committee was notified regarding the situation and approved whitelisting a runtime upgrade to support an accelerated rollout plan of an RT2602 build and a 0.34.1 client.
As of November 30th, all networks were successfully upgraded to RT2602.
Since then, details of the discovered bug were shared with the Frontier Advisory Group who then contacted other projects that may have been affected. After conferring with those projects, it was determined that they were not at risk due to this particular bug and the patch has been committed to Moonbeam’s public repos. On January 2, 2024, details of the bug and the patch were published to github here.
Now that the responsible disclosure process has been completed, it is safe to share the nature of the issue itself.
Summary:
Under certain circumstances, when a smart contract is deployed with marginally insufficient gas and it fails due to an OutofGas error, EVM events from the transactions within its constructor are still emitted.
Impact:
Although the state of the chain is properly reverted following the failure, off-chain components that rely on the EVM events to track state changes (eg. token transfers, etc) may behave incorrectly due to the processing of erroneously sent events.
An attacker could craft a smart contract in a way that would fail to deploy following the execution of its constructor and include a set of transactions in the constructor designed to mislead off-chain components that rely on EVM events in order to achieve some sort of financial gain.
Resolution:
After some investigation, it was determined that while the conditions leading to triggering the bug were relatively rare, the enablement of MBIP-5 increased the likelihood of it occurring, as MBIP-5 marginally increased the gas requirements of some specific smart contract interactions. Consequently, tools that do not rely on RPC-based gas estimations would use their own gas estimation models, which in specific scenarios might result in a value just below the actual value required for proper execution. Therefore, there was a reasonable chance that the issue could have been discovered by a bad actor.
It was further determined that the risk of the patch was relatively low while the impact of an exploit could be relatively high.For this reason, the OpenGov Technical Committee voted in favor of an accelerated rollout of RT2602 for both Moonbeam and Moonriver to address the issue.