#42750 [BC-Insight] Subtraction overflow risk in WSTS FIRE coordinator
Submitted on Mar 25th 2025 at 17:59:39 UTC by @Blobism for Attackathon | Stacks II
Report ID: #42750
Report Type: Blockchain/DLT
Report severity: Insight
Target: https://github.com/stacks-network/sbtc/blob/immunefi_attackaton_1.0/Cargo.toml#L31
Impacts:
Description
Brief/Intro
There is a risk of a subtraction overflow in the WSTS FIRE coordinator when handling a SigShareGather timeout. The risk is that a sufficient number of malicious signers in a signing round could force the round to keep getting repeated if the subtraction overflow is accomplished.
Vulnerability Details
The subtraction overflow risk is shown below, from src/state_machine/coordinator/fire.rs. Given the complexity of the logic here, security best practice would be to make the subtraction a saturating_sub.
let num_malicious_keys: u32 = self
.malicious_signer_ids
.iter()
.map(|signer_id| self.config.signer_key_ids[signer_id].len() as u32)
.sum();
if self.config.num_keys - num_malicious_keys < self.config.threshold { // <--- subtraction overflow risk
error!("Insufficient non-malicious signers, unable to continue");
let mal = self.malicious_signer_ids.iter().copied().collect();
return Ok((
None,
Some(OperationResult::SignError(
SignError::InsufficientSigners(mal),
)),
));
}Impact Details
I am submitting this as an insight, as there is plausible risk of malicious signers forcing repeated signing rounds. I have not fully investigated if the subtraction overflow can be accomplished in practice. Regardless, security best practice is to make this subtraction a saturating_sub.
References
https://github.com/Trust-Machines/wsts/tree/v13.0.1
Proof of Concept
I have not confirmed that a subtraction overflow can be accomplished. This report is simply a security best practice insight. I can conduct a deeper investigation if needed.
Was this helpful?