Veridise security analysts discovered a critical issue in Soroban's build-test-deploy process where the `createimport!` macro allows deployment of contracts with outdated or incorrect imported dependencies without requiring them to be listed as crate dependencies, potentially leading to broken contracts in production.
Veridise has identified a significant security vulnerability in Soroban's smart contract development workflow. The issue stems from the `createimport!` macro, which does not enforce that imported contracts be declared as crate dependencies. This can result in stale or incorrect imported resources being compiled into deployed contracts. The problem is particularly dangerous because running tests may not catch the issue, creating a false sense of security for developers. If left unaddressed, this vulnerability could lead to the deployment of broken or compromised contracts in production environments. The article explains the technical details of the issue, demonstrates how to replicate it, and provides a straightforward solution to prevent such deployments.