CertiK explores two critical vulnerabilities in Soroban contract state storage: storing long-term data in Temporary storage risks irreversible loss when entries expire; relying on TTL expiry alone for nonce validation enables signature replay attacks. The article walks through vulnerable code patterns and secure alternatives using Persistent and Instance storage.
CertiK's technical breakdown examines Soroban's State Expiration and Rent model, which requires all contract data to pay rent for a specific Time-To-Live. The platform offers three storage types: Temporary (cheap, ephemeral), Persistent (restorable after archival), and Instance (shared with contract lifetime). The article identifies two high-impact vulnerabilities developers often introduce. First: storing critical data like user balances in Temporary storage leads to silent, irreversible loss when the entry's TTL reaches zero, unlike EVM contracts where all state persists indefinitely. Second: contracts using TTL expiry as the sole criteria for invalidating signed nonces allow attackers to extend the TTL and reuse old signatures. Concrete code examples demonstrate each vulnerability on Soroban testnet, with clear solutions showing how Persistent and Instance storage types prevent these failures.
