#37352 [BC-Insight] Missing Liveness Check in `collectTableNodes()`

Submitted on Dec 2nd 2024 at 17:42:35 UTC by @CertiK for Attackathon | Ethereum Protocol

• Report ID: #37352

• Report Type: Blockchain/DLT

• Report severity: Insight

• Target: https://github.com/ledgerwatch/erigon

• Impacts:

  • (Specifications) A bug in specifications with no direct impact on client implementations

Description

Brief/Intro

An issue that the node misses liveness check will be added to the node table with collectTableNodes() was identified in the Ethereum client Erigon ( https://github.com/erigontech/erigon ).

Vulnerability Details

Affected Codebase: https://github.com/erigontech/erigon/tree/v2.61.0-beta1

The function collectTableNodes() is intended to collect all the nodes for the FindNode result given a specified distance:

https://github.com/erigontech/erigon/blob/v2.60.10/accounts/abi/type.go#L158

However, it misses the liveness chen when collecting the nodes into the table, which is also mentioned as the TODO: (https://github.com/erigontech/erigon/blob/v2.61.0-beta1/p2p/discover/v5_udp.go#L839 ）:

In this case, the node that has not been checked liveness will also be included in the table.

It is worth noted a similar issue has been fixed in go-ethereum: https://github.com/ethereum/go-ethereum/pull/28686

Impact Details

.Nodes with no liveness check will be included in the node table.

References

• https://github.com/erigontech/erigon/tree/v2.61.0-beta1

• https://github.com/ethereum/go-ethereum/pull/28686

Proof of Concept

Proof of Concept

Here we provide the following test case to show that nodes with no liveness check will be collected.

The default livenessChecks in function wrapNode() is zero, so there is no liveness check, which is used to mimic the nodes without liveness checks.

As the test result shows, all nodes without liveness check are also collected into the table: