The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide

Description

Impact

The #[contractimpl] macro contains a bug in how it wires up function calls.

In Rust, you can define functions on a type in two ways:
- Directly on the type as an inherent function:
rust impl MyContract { fn value() { ... } }
- Through a trait
rust impl Trait for MyContract { fn value() { ... } }

These are two separate functions that happen to share the same name. Rust has rules for which one gets called. When you write MyContract::value(), Rust always picks the one defined directly on the type, not the trait version.

The bug is that #[contractimpl] generates code that uses MyContract::value() style calls even when it's processing the trait version. This means if an inherent function is also defined with the same name, the inherent function gets called instead of the trait function.

This means the Wasm-exported entry point silently calls the wrong function when two conditions are met simultaneously:
1. A impl Trait for MyContract block is defined with one or more functions, with #[contractimpl] applied.
2. A impl MyContract block is defined with one or more identically named functions, without #[contractimpl] applied.

If the trait version contains important security checks, such as verifying the caller is authorized, that the inherent version does not, those checks are bypassed. Anyone interacting with the contract through its public interface will call the wrong function.

For example:

#[contract]
pub struct Contract;

impl Contract {
    /// Inherent function — returns 1.
    /// Bug: The macro-generated WASM export is wired up to call this function.
    pub fn value() -> u32 {
        1
    }
}

pub trait Trait {
    fn value(env: Env) -> u32;
}

#[contractimpl]
impl Trait for MyContract {
    /// Trait implementation — returns 2.
    /// Fix: The macro-generated WASM export should call this function.
    fn value() -> u32 {
        2
    }
}

Patches

The problem is patched in soroban-sdk-macros version 25.1.1. The fix changes the generated call from <Type>::func() to <Type as Trait>::func() when processing trait implementations, ensuring Rust resolves to the trait associated function regardless of whether an inherent function with the same name exists.

Users should upgrade to soroban-sdk-macros >= 25.1.1 and recompile their contracts.

Workarounds

If upgrading is not immediately possible, contract developers can avoid the issue by ensuring that no inherent associated function on the contract type shares a name with any function in the trait implementation. Renaming or removing the conflicting inherent function eliminates the ambiguity and causes the macro-generated code to correctly resolve to the trait function.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-17 21:29:05 UTC
Updated
2026-02-19 21:56:47 UTC
GitHub reviewed
2026-02-17 21:29:05 UTC
NVD published
2026-02-19

EPSS Score

Score Percentile
0.05% 15.46%

CVSS Scores

Base score Version Severity Vector
7.5 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-670 Always-Incorrect Control Flow Implementation

Credits

  • leighmcculloch (remediation_developer)
  • mootz12 (remediation_reviewer)
  • nan-zellic (finder)
  • dmkozh (analyst)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rust soroban-sdk-macros >= 25.0.0, <= 25.1.0 25.1.1
rust soroban-sdk-macros >= 23.0.0, <= 23.5.1 23.5.2
rust soroban-sdk-macros <= 22.0.9 22.0.10

References

cvelogic Threat Intelligence