| Safe Haskell | Safe-Inferred |
|---|---|
| Language | Haskell2010 |
Convex.ThreatModel.UnprotectedScriptOutput
Description
Threat model for detecting scripts that don't validate output addresses.
Many Plutus scripts validate datum state transitions but forget to check that outputs actually go to the correct address. This allows an attacker to redirect funds while satisfying the script's datum requirements.
Example vulnerable pattern:
validator :: Datum -> Redeemer -> ScriptContext -> Bool
validator oldState action ctx =
let newState = getOutputDatum ctx
in validTransition oldState action newState -- Only checks datum, not address!
A secure script should also verify:
&& outputGoesToSameScript ctx
&& valueIsPreserved ctx
Synopsis
Documentation
unprotectedScriptOutput :: ThreatModel () Source #
Check for unprotected script output vulnerabilities.
For a transaction that spends a script UTxO and produces an output back to the same script address:
- Try redirecting that output to the transaction signer (attacker)
- If the transaction still validates, the script doesn't properly protect its outputs - it only validates datum, not the output address.
This catches a common vulnerability pattern where scripts implement state machine logic but forget to enforce that outputs stay at the script address.