# #43110 \[BC-Critical] Validator can DoS the DA Layer by requesting a big range of blobs **Submitted on Apr 2nd 2025 at 06:55:27 UTC by @br0nz3p1ck4x3 for** [**Attackathon | Movement Labs**](https://immunefi.com/audit-competition/movement-labs-attackathon) * **Report ID:** #43110 * **Report Type:** Blockchain/DLT * **Report severity:** Critical * **Target:** * **Impacts:** * Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours ## Description ## Description Inside `passthrough::stream_read_from_height()`, the validator makes a request to the DA layer to stream blobs to the validator. This is the relevant line of code: ```rust let mut blob_stream = da.stream_da_blobs_from_height(height).await.map_err(|e| tonic::Status::internal(e.to_string()))?; ``` The issue here is that the validator can specify `height` as `1`, which will lead to the DA layer wasting their resources doing lookups in their local DB from `height = 1` until `current_block`. Moreover, after these lookups, these have to be returned to the Validator whom made this request. As such, this simple call will DoS the DA Layer. ## Impact This simple call will permanently waste the resources of the DA layer. Without access to the DA layer, the Validator will not be able to progress and thus, the network will be stalled. ## Recommended Mitigation Steps On the DA Layer level, constrain the range of blob height that can be streamed. ## Proof of Concept ## Proof of Concept The PoC is very straight-forward. We will start by defining a few variables.\ Let: * `current_block = 184239` * `height = 1` Step one: The malicious validator makes a call to `stream_read_from_height()`, using the `height` variable as defined above. Step two: The honest DA layer operator will try to lookup and return the blobs between `height <-> current_block`, which spans over **184238** blocks. Step three: The hoenst DA layer will not be able to process this and thus, the network will stall. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/movement-labs-attackathon/43110-bc-critical-validator-can-dos-the-da-layer-by-requesting-a-big-range-of-blobs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.