search
Active Boosts

#43243 [BC-Critical] Attacker can halt chains operating in sequencer mode

Submitted on Apr 4th 2025 at 01:38:59 UTC by @usmannk for Attackathon | Movement Labsarrow-up-right

  • Report ID: #43243

  • Report Type: Blockchain/DLT

  • Report severity: Critical

  • Target: https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/light-node

  • Impacts:

    • Network not being able to confirm new transactions (total network shutdown)

hashtag
Description

hashtag
Brief/Intro

The batch_write rpc call can be abused by attackers to write malformed transactions to the Celestia network. When this is read back as a block the node panics and crashes.

hashtag
Vulnerability Details

The batch_write RPC method does not have access control. Further, the LightNodeService is bound to the ip address 0.0.0.0 in both the default and suggested (https://docs.movementnetwork.xyz/assets/files/config-4551e1260977506ebb8dcdea19b254ed.json) configurations. Because 0.0.0.0 allows requests from not just the local host but any IP address on the internet, an attacker may call this RPC to write arbitrary movement transactions to DA. The Aptos Transaction within this Movement Transaction can be malformed.

If a malformed Aptos transaction is written in this way, nodes will crash when reading it from DA.

Ostensibly there is prevalidation to assert that the submitted transaction is a valid Aptos transaction. However, when nodes are running in the default and suggested configuration, they do not have Whitelist Prevalidation enabled. The Aptos transaction prevalidation is, presumably erroneously, done inside Whitelist Prevalidation so it is also disabled by default.

Even if this prevalidation is enabled, a malicious sequencer can still sign and submit such a malformed block. However, in the default and suggested configuration, any party may execute this attack.

hashtag
Impact Details

Attackers can insert malformed transactions into the canonical chain, signed by the DA signer and persisted to DA.

hashtag
Proof of Concept

hashtag
Proof of Concept

  • run movement stack by calling just movement-full-node native build.setup.celestia-local.eth-local

  • send a call to BatchWrite with an invalid tx:

  • Observe the chain crashes:

The base64 encoded data above is the following transaction: "data":[0],"application_priority":0,"sequence_number":0,"id":[157,21,55,43,24,48,115,90,10,45,5,33,70,105,227,39,26,117,74,172,70,254,48,59,104,187,48,70,1,58,5,116]}

The bytes [0] is not a valid Aptos Transaction and thus the node panics when trying to execute it within a block.

Previous#43241 [BC-High] Attackers can drain TIA from nodes in networks running in passthrough modeNext#43244 [BC-Critical] Lack of TCP timeout allows attacker to crash the sequencer via the Light Node Service

Was this helpful?