Listen to this Post
The vulnerability resides in the `
` macro of the Soroban SDK. In Rust, functions on a type can be defined inherently (directly on the type) or via trait implementations. When calling <code>Type::function()</code>, Rust prioritizes inherent functions over trait functions. The macro bug causes it to generate code using `Type::function()` style calls even when processing trait implementations. If a contract has both an inherent function and a trait function with the same name, the Wasm export points to the inherent function instead of the trait function. This occurs when an `impl Trait for Contract` block with `[bash]` and an `impl Contract` block without `[bash]` share function names. If the trait function contains security checks (e.g., authorization) that the inherent function lacks, those checks are bypassed. Attackers calling the public interface invoke the wrong function, leading to unauthorized actions. For example, an inherent function returning 1 might be called instead of a trait function returning 2, or worse, skipping validations. The issue is patched in `soroban-sdk-macros` version 25.1.1 by changing the generated call from `<Type>::func()` to `<Type as Trait>::func()` to ensure correct resolution. Users must upgrade and recompile contracts. If upgrade is impossible, rename conflicting inherent functions to avoid ambiguity. No CVE ID is provided, but the vulnerability is critical. Platform: Soroban SDK Version: Before 25.1.1 Vulnerability: Macro bug function mismatch Severity: Critical Date: Not specified <h2 style="color: blue;">Prediction: Patch available 25.1.1</h2> <h2 style="color: blue;">What Undercode Say:</h2> Showing bash commands and codes related to the blog [bash] Check soroban-sdk-macros version in Cargo.toml grep soroban-sdk-macros Cargo.toml Upgrade to patched version cargo update -p soroban-sdk-macros --precise 25.1.1 Example vulnerable code (Cargo.toml dependency) [bash] soroban-sdk = "25.0.0" soroban-sdk-macros = "25.0.0"
// Vulnerable pattern
[bash]
pub struct Contract;
impl Contract {
pub fn value() -> u32 { // Inherent function
1
}
}
pub trait Trait {
fn value(env: Env) -> u32;
}
[bash]
impl Trait for Contract {
fn value(env: Env) -> u32 { // Trait function with checks
// Security check here
2
}
}
// Fixed workaround: rename inherent function
impl Contract {
pub fn value_inherent() -> u32 { // Renamed to avoid conflict
1
}
}
how Exploit:
An attacker interacts with the contract’s public interface, expecting to call the trait function (e.g., `value` with security checks). Due to the macro bug, the Wasm export invokes the inherent function with the same name, bypassing any authorization or validation in the trait function. This can lead to unauthorized state changes or exposure of sensitive data.
Protection from this CVE
Upgrade `soroban-sdk-macros` to version 25.1.1 or later and recompile all contracts. If upgrade is delayed, audit contract code to ensure no inherent function shares a name with any trait function in `[bash]` blocks; rename or remove conflicting inherent functions immediately.
Impact
Critical: Security checks in trait functions are silently bypassed, allowing unauthorized access or incorrect contract execution. This undermines contract integrity and can lead to financial loss or data breaches in deployed Soroban smart contracts.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

