Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Rust rs-soroban-sdk Macro Can Call Wrong Function
CVE-2026-26267
GHSA-4chv-4c6w-w254
Summary
The rs-soroban-sdk macro can mistakenly call the wrong function when two functions with the same name are defined on a contract. This can bypass security checks if the trait version of the function contains them. To fix this, ensure the #[contractimpl] macro is applied to both the inherent and trait functions, or rename one of the functions to avoid the conflict.
What to do
- Update soroban-sdk-macros to version 25.1.1.
- Update soroban-sdk-macros to version 23.5.2.
- Update soroban-sdk-macros to version 22.0.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | soroban-sdk-macros | > 25.0.0 , <= 25.1.0 | 25.1.1 |
| – | soroban-sdk-macros | > 23.0.0 , <= 23.5.1 | 23.5.2 |
| – | soroban-sdk-macros | <= 22.0.9 | 22.0.10 |
| stellar | rs-soroban-sdk | <= 22.0.10 | – |
| stellar | rs-soroban-sdk | > 23.0.0 , <= 23.5.2 | – |
| stellar | rs-soroban-sdk | > 25.0.0 , <= 25.1.1 | – |
Original title
The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide
Original description
### Impact
The `#[contractimpl]` macro contains a bug in how it wires up function calls.
In Rust, you can define functions on a type in two ways:
- Directly on the type as an inherent function:
```rust
impl MyContract {
fn value() { ... }
}
```
- Through a trait
```rust
impl Trait for MyContract {
fn value() { ... }
}
```
These are two separate functions that happen to share the same name. Rust has rules for which one gets called. When you write `MyContract::value()`, Rust always picks the one defined directly on the type, not the trait version.
The bug is that `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function.
This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously:
1. A `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied.
2. A `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied.
If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function.
For example:
```rust
#[contract]
pub struct Contract;
impl Contract {
/// Inherent function — returns 1.
/// Bug: The macro-generated WASM export is wired up to call this function.
pub fn value() -> u32 {
1
}
}
pub trait Trait {
fn value(env: Env) -> u32;
}
#[contractimpl]
impl Trait for MyContract {
/// Trait implementation — returns 2.
/// Fix: The macro-generated WASM export should call this function.
fn value() -> u32 {
2
}
}
```
### Patches
The problem is patched in `soroban-sdk-macros` version **25.1.1**. The fix changes the generated call from `<Type>::func()` to `<Type as Trait>::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists.
Users should upgrade to `soroban-sdk-macros` **>= 25.1.1** and recompile their contracts.
### Workarounds
If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.
The `#[contractimpl]` macro contains a bug in how it wires up function calls.
In Rust, you can define functions on a type in two ways:
- Directly on the type as an inherent function:
```rust
impl MyContract {
fn value() { ... }
}
```
- Through a trait
```rust
impl Trait for MyContract {
fn value() { ... }
}
```
These are two separate functions that happen to share the same name. Rust has rules for which one gets called. When you write `MyContract::value()`, Rust always picks the one defined directly on the type, not the trait version.
The bug is that `#[contractimpl]` generates code that uses `MyContract::value()` style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function.
This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously:
1. A `impl Trait for MyContract` block is defined with one or more functions, with `#[contractimpl]` applied.
2. A `impl MyContract` block is defined with one or more identically named functions, without `#[contractimpl]` applied.
If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function.
For example:
```rust
#[contract]
pub struct Contract;
impl Contract {
/// Inherent function — returns 1.
/// Bug: The macro-generated WASM export is wired up to call this function.
pub fn value() -> u32 {
1
}
}
pub trait Trait {
fn value(env: Env) -> u32;
}
#[contractimpl]
impl Trait for MyContract {
/// Trait implementation — returns 2.
/// Fix: The macro-generated WASM export should call this function.
fn value() -> u32 {
2
}
}
```
### Patches
The problem is patched in `soroban-sdk-macros` version **25.1.1**. The fix changes the generated call from `<Type>::func()` to `<Type as Trait>::func()` when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists.
Users should upgrade to `soroban-sdk-macros` **>= 25.1.1** and recompile their contracts.
### Workarounds
If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.
nvd CVSS3.1
7.5
Vulnerability type
CWE-670
- https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-4chv-4c6w-w25... Exploit Patch Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26267
- https://github.com/advisories/GHSA-4chv-4c6w-w254
- https://github.com/stellar/rs-soroban-sdk/commit/e92a3933e5f92dc09da3c740cf6a360... Patch
- https://github.com/stellar/rs-soroban-sdk/pull/1729 Issue Tracking Patch
- https://github.com/stellar/rs-soroban-sdk/pull/1730 Issue Tracking Patch
- https://github.com/stellar/rs-soroban-sdk/pull/1731 Issue Tracking Patch
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026