#38459 [BC-Low] erigon remote DoS
Previous#37286 [SC-Insight] Elimination of Security Checks in ForkCreator ClassNext#37113 [BC-Low] https://github.com/erigontech/erigon ), though it does not seem to be exploitable at
Was this helpful?
Was this helpful?
Submitted on Jan 3rd 2025 at 22:39:50 UTC by @gln for
Report ID: #38459
Report Type: Blockchain/DLT
Report severity: Low
Target: https://github.com/ledgerwatch/erigon
Impacts:
Shutdown of less than 10% of network processing nodes without brute force actions, but does not shut down the network
Erigon contains embedded consensus implementation called Caplin.
BlobSidecarsByRange handler does not validate incoming parameters.
Malformed p2p request allows an attacker to trigger infinite loop in erigon node.
Let's look at the BlobSidecarsByRange p2p handler https://github.com/erigontech/erigon/blob/main/cl/sentinel/handlers/blobs.go#L32
req.StartSlot and req.Count are not validated
ReadCanonicalBlobkRoot() returns zero hash for invalid slot
the 'for' loop continues to run
Basially, if req.StarSlot and req.Count are large enough, erigon could enter into an infinite loop.
Attacker could trigger an infinite loop in erigon node with a single malformed p2p request.
https://gist.github.com/gln7/c8106d435f0d1f3cde96f8d76e886e10
How to reproduce:
get erigon source
apply poc.patch (see gist link)
run test:
Golang enters into an infite loop and starts to output messages like these: