Attackathon _ Fuel Network 32486 - [Blockchain_DLT - Medium] Public RPC node craches via GraphQL API
Last updated
Was this helpful?
Last updated
Was this helpful?
Submitted on Sun Jun 23 2024 19:31:25 GMT-0400 (Atlantic Standard Time) by @sventime for
Report ID: #32486
Report type: Blockchain/DLT
Report severity: Medium
Target: https://github.com/FuelLabs/fuel-core/tree/8b1bf02103b8c90ce3ef2ba715214fb452b99885
Impacts:
RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer
A vulnerability in the public RPC node's GraphQL API allows attackers to crash the node by exploiting an unreachable!()
macro in the transactions()
query pagination logic.
The vulnerability exists in the pagination logic of the transactions()
query in crates/fuel-core/src/schema.rs:129:17:
:
This code incorrectly assumes either first
or last
must be Some
. However, valid scenarios exist where both are None
while after
or before
or both are Some
, leading to a panic when the unreachable!()
macro is hit.
Denial of Service: Repeated exploitation can cause extended RPC node downtime.
dApp and Front-end Failures: All dApps and front-end applications relying on the affected RPC will crash or become non-functional.
Reduced Trust: Frequent outages may decrease user confidence.
https://github.com/FuelLabs/fuel-core/blob/8b1bf02103b8c90ce3ef2ba715214fb452b99885/crates/fuel-core/src/schema.rs#L129
Compile fuel-core in release and run local or test node:
Open http://localhost:4000/v1/playground and run query:
(Optional) You can use fuel-ts to exploit:
Note: You can use any values for
before
andafter
just to pass validation, the only rule is not to includefirst
andlast
, but one of or bothbefore
andafter
.
Node crashed with error: