| Safe Haskell | Safe-Inferred |
|---|---|
| Language | Haskell2010 |
Convex.ThreatModel.InputDuplication
Description
Threat model for detecting input ordering bypass vulnerabilities.
Some Plutus validators have logic like:
or {
own_ref != first_script_input_ref, -- If NOT first → skip check!
actual_validation_logic(...) -- Only verified for first input
}
This pattern is vulnerable because when multiple script inputs are spent in one transaction, only the FIRST input is properly validated. An attacker can add a second input from the same script which bypasses all validation.
This is particularly dangerous for: - Lending protocols (second loan bypasses payment verification) - Multi-signature schemes (second input bypasses signature checks) - Any validator that assumes it's the only script input
Synopsis
- inputDuplication :: ThreatModel ()
Documentation
inputDuplication :: ThreatModel () Source #
Check for input duplication / input ordering bypass vulnerabilities.
For a transaction that spends from a script address:
- Find a script input in the transaction
- Look in the UTxO set for OTHER UTxOs at the same script address that aren't already spent
- Add one of those as an additional input with the same redeemer
- If the transaction still validates, the script has an input ordering vulnerability
The attack works because many scripts only validate the FIRST script input, allowing subsequent inputs to bypass validation entirely.
Note: This threat model requires that there exist multiple UTxOs at the same script address in the UTxO set. The test will be skipped if no additional UTxOs are available.