Headline
CVE-2022-36058: Merge pull request from GHSA-qf7j-25g9-r63f · ElrondNetwork/elrond-go@cb487fd
Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.44, anyone who uses elrond-go to process blocks (historical or actual) could encounter a MultiESDTNFTTransfer transaction like this: MultiESDTNFTTransfer with a missing function name. Basic functionality like p2p messaging, storage, API requests and such are unaffected. Version 1.3.34 contains a fix for this issue. There are no known workarounds.
@@ -397,3 +397,53 @@ func TestAsyncMultiTransferOnCallAndOnCallback(t *testing.T) {
utils.CheckESDTNFTBalance(t, testContext, forwarderAddr, sftTokenID, 2, halfBalance)
utils.CheckESDTNFTBalance(t, testContext, forwarderAddr, sftTokenID, 3, halfBalance)
}
func TestSendNFTToContractWith0Function(t *testing.T) {
testContext, err := vm.CreatePreparedTxProcessorWithVMs(config.EnableEpochs{})
require.Nil(t, err)
defer testContext.Close()
ownerAddr := []byte(“12345678901234567890123456789010”)
sftTokenID := []byte(“SFT-123456”)
sftNonce := uint64(1)
sftBalance := big.NewInt(1000)
utils.CreateAccountWithESDTBalance(t, testContext.Accounts, ownerAddr, big.NewInt(1000000000), sftTokenID, sftNonce, sftBalance)
utils.CheckESDTNFTBalance(t, testContext, ownerAddr, sftTokenID, sftNonce, sftBalance)
gasPrice := uint64(10)
ownerAccount, _ := testContext.Accounts.LoadAccount(ownerAddr)
deployGasLimit := uint64(1000000)
txGasLimit := uint64(1000000)
vaultAddr := utils.DoDeploySecond(t,
testContext,
"…/esdt/testdata/vault-managed-api.wasm",
ownerAccount,
gasPrice,
deployGasLimit,
nil,
big.NewInt(0),
)
// send the tokens to vault
ownerAccount, _ = testContext.Accounts.LoadAccount(ownerAddr)
tx := utils.CreateESDTNFTTransferTx(
ownerAccount.GetNonce(),
ownerAddr,
vaultAddr,
sftTokenID,
sftNonce,
sftBalance,
gasPrice,
txGasLimit,
"",
)
tx.Data = append(tx.Data, []byte(“@”)…)
retCode, err := testContext.TxProcessor.ProcessTransaction(tx)
require.Equal(t, vmcommon.Ok, retCode)
require.Nil(t, err)
_, err = testContext.Accounts.Commit()
require.Nil(t, err)
}
Related news
### Impact Anyone who uses elrond-go to process blocks (historical or actual) that contains a transaction like this: `MultiESDTNFTTransfer@01@54444558544b4b5955532d323631626138@00@0793afc18c8da2ca@` (mind the missing function name after the last `@`) Basic functionality like p2p messaging, storage, API requests and such are unaffected. ### Patches Patch v1.3.34 or higher ### Workarounds No workarounds ### References For future reference, one can observe the following integration test: [[provide the link to the integration test]](https://github.com/ElrondNetwork/elrond-go/blob/8e402fa6d7e91e779980122d3798b2bf50892945/integrationTests/vm/txsFee/asyncESDT_test.go#L402) ### For more information If you have any questions or comments about this advisory: * Open an issue in elrond-go (http://github.com/ElrondNetwork/elrond-go/issues)