#41980 [BC-Insight] Full nodes panic in read-only mode whenever a transaction is sent
Submitted on Mar 19th 2025 at 18:50:44 UTC by @HollaDieWaldfee for Attackathon | Movement Labs
Report ID: #41980
Report Type: Blockchain/DLT
Report severity: Insight
Target: https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/execution/maptos/opt-executor
Impacts:
RPC API crash affecting programs with greater than or equal to 25% of the market capitalization on top of the respective layer
Description
Brief/Intro
When a full node is run in read-only mode and a SubmitTransaction request is sent to the full node, the full node will panic and shut down.
Vulnerability Details
To understand how this happens, we need to take a look at the implementation inside of read_only.rs.
If the next request of the mempool_client_receiver is a SubmitTransaction request, the node panics. As a result, the node is shut down (reference (1)).
A node is run in read-only mode whenever the maptos_config.chain.maptos_read_only flag is set to true. This can be seen in reference (2).
Impact Details
An attacker can send a SubmitTransaction request to the full node API to shut down the node.
The solution is to return an error upon invalid API calls but not to shut down the node.
References
(1): https://github.com/immunefi-team/attackathon-movement/blob/a2790c6ac17b7cf02a69aea172c2b38d2be8ce00/protocol-units/execution/maptos/opt-executor/src/background/read_only.rs#L23
(2): https://github.com/immunefi-team/attackathon-movement/blob/a2790c6ac17b7cf02a69aea172c2b38d2be8ce00/protocol-units/execution/maptos/opt-executor/src/executor/initialization.rs#L208-L209
Proof of Concept
Proof of Concept
A full node is run in read-only mode.
The next request of the
mempool_client_receiveris a SubmitTransaction request. This causes the node to panic. Again, this can be verified by taking a look at reference (1).
Was this helpful?