#43110 [BC-Critical] Validator can DoS the DA Layer by requesting a big range of blobs
Submitted on Apr 2nd 2025 at 06:55:27 UTC by @br0nz3p1ck4x3 for Attackathon | Movement Labs
Report ID: #43110
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/light-node
Impacts:
Increasing network processing node resource consumption by at least 30% without brute force actions, compared to the preceding 24 hours
Description
Description
Inside passthrough::stream_read_from_height(), the validator makes a request to the DA layer to stream blobs to the validator. This is the relevant line of code:
let mut blob_stream = da.stream_da_blobs_from_height(height).await.map_err(|e| tonic::Status::internal(e.to_string()))?;The issue here is that the validator can specify height as 1, which will lead to the DA layer wasting their resources doing lookups in their local DB from height = 1 until current_block. Moreover, after these lookups, these have to be returned to the Validator whom made this request. As such, this simple call will DoS the DA Layer.
Impact
This simple call will permanently waste the resources of the DA layer. Without access to the DA layer, the Validator will not be able to progress and thus, the network will be stalled.
Recommended Mitigation Steps
On the DA Layer level, constrain the range of blob height that can be streamed.
Proof of Concept
Proof of Concept
The PoC is very straight-forward. We will start by defining a few variables. Let:
current_block = 184239height = 1
Step one: The malicious validator makes a call to stream_read_from_height(), using the height variable as defined above.
Step two: The honest DA layer operator will try to lookup and return the blobs between height <-> current_block, which spans over 184238 blocks.
Step three: The hoenst DA layer will not be able to process this and thus, the network will stall.
Was this helpful?