# #43177 \[BC-Critical] dos vulnerability in da light node via unbounded height parameter ## #43177 \[BC-Critical] DoS Vulnerability in DA Light Node via Unbounded Height Parameter **Submitted on Apr 3rd 2025 at 09:41:01 UTC by @Blockian for** [**Attackathon | Movement Labs**](https://immunefi.com/audit-competition/movement-labs-attackathon) * **Report ID:** #43177 * **Report Type:** Blockchain/DLT * **Report severity:** Critical * **Target:** * **Impacts:** * Network not being able to confirm new transactions (total network shutdown) ### Description ## Movement Bug Report ### DoS Vulnerability in DA Light Node via Unbounded Height Parameter #### Summary The `stream_read_from_height` gRPC endpoint in the DA Light Node lacks proper validation on the `height` parameter. An attacker can exploit this by setting `height = 0`, effectively requesting all blobs from genesis. As the network grows over time, this results in an increasingly large data request, which can overwhelm the node, leading to a denial of service (DoS) scenario. #### Root Cause Analysis The `stream_read_from_height` endpoint accepts a user-controlled `height` parameter and internally calls the `stream_da_blobs_from_height` function: ```rs fn stream_da_blobs_from_height( &self, start_height: u64, ) -> Pin, DaError>> + Send + '_>> { let certificate_stream = self.stream_certificates().await?; // ... (omitted non-relevant code) let mut last_height = start_height; let mut certificate_stream = certificate_stream; while let Some(certificate) = certificate_stream.next().await { match certificate { Ok(Certificate::Height(height)) if height > last_height => { let blob_stream = self .stream_da_blobs_between_heights(last_height, height) .await?; tokio::pin!(blob_stream); while let Some(blob) = blob_stream.next().await { yield blob?; } // ... (omitted non-relevant code) } ``` Here, the function `stream_da_blobs_from_height` uses the user-supplied `start_height` to stream blobs from the earliest specified height up to the latest known height (retrieved from `stream_certificates`). Without validation, this can lead to excessive and unbounded data retrieval. #### Impact If an attacker sets `start_height = 0` and the latest height is large, the node will: * Enter a long-running loop while attempting to stream all blobs from genesis. * Suffer from performance degradation or potentially become unresponsive. * Compromise the availability and liveness of the network by tying up resources. #### Proposed Fixes * Introduce a maximum allowed range between `start_height` and the latest height when calling `stream_da_blobs_between_heights`. * Implement a failsafe to break out of the loop if the stream exceeds a predefined safe limit. ### Proof of Concept ## Proof of Concept (PoC) 1. Start the DA Light Node. 2. Set up a fake DA source populated with a large number of blobs across a high range of heights. 3. Send a gRPC request to the Light Node’s `stream_read_from_height` endpoint with `height = 0`. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/movement-labs-attackathon/43177-bc-critical-dos-vulnerability-in-da-light-node-via-unbounded-height-parameter.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.