Impact

At the end of a contract execution, when opcode SUICIDE marks a contract to be deleted, we use storage::remove_prefix (now renamed to storage::clear_prefix) to remove all storages associated with it. This is a single IO primitive call passing the WebAssembly boundary.

For large contracts, the call (without providing a limit parameter) can be slow. In addition, for parachains, all storages to be deleted will be part of the PoV, which easily exceed relay chain PoV size limit. On the other hand, we only charge a fixed cost for opcode SUICIDE.

The severity of this security advisory is high, because an attacker can craft a contract with a lot of storage values on a parachain, and then call opcode SUICIDE on the contract. If the transaction makes into a parachain block, the parachain will then stall because the PoV size will exceed relay chain's limit. This is especially an issue for XCM transactions, because they can't be skipped.

Patches

The issue is fixed in PR #1212
Please upgrade to commit aea5281 or higher.

The recommendations are as follows:

• For parachains, it's recommended to issue an emergency runtime upgrade as soon as possible.
• For standalone chains, the impact is less severe because the issue mainly affects PoV sizes. It's recommended to issue a normal runtime upgrade as soon as possible.

Workarounds

None.

References

None.

Credits

Thanks to Moonsong Labs for the report!