| Safe Haskell | Safe-Inferred |
|---|---|
| Language | Haskell2010 |
Convex.ThreatModel.InvalidScriptPurpose
Description
Threat model for detecting Invalid Script Purpose vulnerabilities.
An Invalid Script Purpose Attack reuses a spending validator as a minting
policy. If the script does not strictly check its purpose, it may validate
under MintingScript context even though it was intended to run only under
SpendingScript context.
Consequences ==
- Authorization bypass: Spending-specific checks may be skipped when the same script is executed under minting purpose.
- Unexpected code paths: Purpose-dependent logic can be triggered in ways that were never intended by contract authors.
Mitigation ==
A secure spending validator should explicitly reject non-spending purposes,
for example by matching only on SpendingScript and failing otherwise.
This threat model mutates a valid transaction by adding a mint action that executes the provided Plutus V3 script as a minting policy. If the modified transaction still validates, the script may be vulnerable to purpose confusion.
Synopsis
- invalidScriptPurposeAttack :: IsPlutusScriptInEra lang => PlutusScript lang -> ThreatModel ()
- invalidScriptPurposeAttackWith :: IsPlutusScriptInEra lang => ScriptData -> AssetName -> Quantity -> PlutusScript lang -> ThreatModel ()
Documentation
invalidScriptPurposeAttack :: IsPlutusScriptInEra lang => PlutusScript lang -> ThreatModel () Source #
Default Invalid Script Purpose attack for Plutus V3 scripts.
Uses a unit-style redeemer (Constr 0 []), mints quantity 1, and uses a test
asset name "deadbeef".
invalidScriptPurposeAttackWith :: IsPlutusScriptInEra lang => ScriptData -> AssetName -> Quantity -> PlutusScript lang -> ThreatModel () Source #
Invalid Script Purpose attack with configurable redeemerassetquantity.
Given a script intended for spending validation, this threat model:
- Requires that the transaction spends at least one script input
- Selects a key-address output as recipient for minted tokens
- Adds minting under the provided script (forcing
MintingScriptpurpose) - Updates the selected output value to include minted tokens
- Expects the modified transaction to fail validation
If it validates, the contract may accept an unintended script purpose.