#43324 [BC-High] insufficient validation in da light node allows malicious override of application priority

#43324 [BC-High] Insufficient Validation in DA Light Node Allows Malicious Override of `application_priority`

Submitted on Apr 4th 2025 at 15:57:44 UTC by @Blockian for Attackathon | Movement Labs

Report ID: #43324
Report Type: Blockchain/DLT
Report severity: High
Target: https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/da/movement/protocol/light-node
Impacts:
- Modification of transaction fees outside of design parameters
- Griefing
- Tx Censorship

Description

Movement Bug Report

Insufficient Validation in DA Light Node Allows Malicious Override of `application_priority`

Summary

The DA Light Node does not validate the application_priority field on incoming transactions. Because this field is not part of the signed payload, a malicious node can arbitrarily alter the priority of a transaction, allowing for unfair ordering or censorship of other transactions.

Root Cause Analysis

During the batch_write process, the prevalidator validates incoming transactions through the following logic:

	#[tonic::async_trait]
impl PrevalidatorOperations<Transaction, Transaction> for Validator {
	/// Verifies a Transaction as a Valid Transaction
	async fn prevalidate(
		&self,
		transaction: Transaction,
	) -> Result<Prevalidated<Transaction>, Error> {
		let application_priority = transaction.application_priority();
		let sequence_number = transaction.sequence_number();

		let aptos_transaction = AptosTransactionValidator.prevalidate(transaction).await?;
		let aptos_transaction = self
			.whitelist_validator
			.prevalidate(aptos_transaction.into_inner())
			.await?
			.into_inner();

		Ok(Prevalidated(Transaction::new(
			bcs::to_bytes(&aptos_transaction).map_err(|e| {
				Error::Internal(format!("Failed to serialize AptosTransaction: {}", e))
			})?,
			application_priority,
			sequence_number,
		)))
	}
}

However, the application_priority is not part of the signed transaction payload. This means:

The priority value is not cryptographically tied to the transaction content.
The value can be modified by any party submitting the transaction (e.g., a malicious node).
There is no verification step to ensure the priority value matches the calculated original intent.

Impact

The application_priority field plays a role in transaction ordering. Allowing it to be arbitrarily modified introduces several vulnerabilities:

Priority Inflation: A malicious actor can artificially boost the priority of their own transactions, gaining unfair access to limited execution bandwidth.
Transaction Starvation: Legitimate transactions with genuine lower priorities may be delayed or dropped due to queue saturation.
Targeted Censorship: An attacker can reduce the priority of a victim’s transaction to push it behind attacker-controlled transactions.
Loss of Fairness and Predictability: The system’s ability to enforce deterministic or economic ordering (e.g., fee-based) is undermined if priority is mutable.

Proposed Fixes

Derive Priority On the Da Light Node Eliminate the client-provided application_priority entirely and compute it deterministically on the Light Node.

Proof of Concept

Proof of Concept (PoC)

Run the DA Light Node.
Identify a legitimate transaction to target.
Copy the transaction’s data, sequence_number, and id, but modify the application_priority to a higher or lower value.
Send a gRPC request to the Light Node’s write_batch endpoint with the modified transaction.

// Pseudo-code
let manipulated_tx = Transaction {
	data: original_tx.data.clone(),
	application_priority: 9999, // Arbitrarily priority
	sequence_number: original_tx.sequence_number,
	id: original_tx.id,
};

Previous#43322 [BC-High] inadequate transaction validation in da light node allows unprocessable block creation Next#43326 [BC-Insight] stale transaction state in mempool when sender receiver pipe fails

Was this helpful?