Last updated
Was this helpful?
Submitted on Sun Jun 23 2024 19:31:25 GMT-0400 (Atlantic Standard Time) by @sventime for
Report ID: #32486
Report type: Blockchain/DLT
Report severity: Medium
Target: https://github.com/FuelLabs/fuel-core/tree/8b1bf02103b8c90ce3ef2ba715214fb452b99885
Impacts:
RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer
A vulnerability in the public RPC node's GraphQL API allows attackers to crash the node by exploiting an unreachable!() macro in the transactions() query pagination logic.
The vulnerability exists in the pagination logic of the transactions() query in crates/fuel-core/src/schema.rs:129:17::
This code incorrectly assumes either first or last must be Some. However, valid scenarios exist where both are None while after or before or both are Some, leading to a panic when the unreachable!() macro is hit.
Denial of Service: Repeated exploitation can cause extended RPC node downtime.
dApp and Front-end Failures: All dApps and front-end applications relying on the affected RPC will crash or become non-functional.
Reduced Trust: Frequent outages may decrease user confidence.
https://github.com/FuelLabs/fuel-core/blob/8b1bf02103b8c90ce3ef2ba715214fb452b99885/crates/fuel-core/src/schema.rs#L129
Compile fuel-core in release and run local or test node:
Open http://localhost:4000/v1/playground and run query:
(Optional) You can use fuel-ts to exploit:
Note: You can use any values for
beforeandafterjust to pass validation, the only rule is not to includefirstandlast, but one of or bothbeforeandafter.
Node crashed with error:
