39626 [W&A-Critical] malicious validator can overwrite any cycle data
#39626 [W&A-Critical] Malicious Validator Can Overwrite Any Cycle Data
Submitted on Feb 3rd 2025 at 16:59:16 UTC by @Blockian for Audit Comp | Shardeum: Ancillaries III
Report ID: #39626
Report Type: Websites and Applications
Report severity: Critical
Target: https://github.com/shardeum/archive-server/tree/itn4
Impacts:
Taking and/modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as:
Changing registration information
Commenting
Voting
Making trades
Withdrawals, etc.
Direct theft of user funds
Description
Shardeum Ancillaries Bug Report
Malicious Validator Can Overwrite Any Cycle Data
Summary
A vulnerability in the collectCycleData
function allows a malicious Validator to manipulate the Archiver by processing a fake cycle controlled entirely by the Validator. This issue enables the Validator to override legitimate cycles, potentially altering critical network parameters such as adding unauthorized Archivers—an action that should be restricted to the Shardeum team.
Root Cause Analysis
Examining the collectCycleData
function:
Vulnerability Breakdown
When processing a new cycle, the function follows these steps:
If the
cycle.counter
andcycle.marker
exist inreceivedCycleTracker
, it incrementsreceivedTimes
.Otherwise, it validates the cycle using
validateCycleData
and adds it toreceivedCycleTracker
.If
receivedTimes
meets or exceedsminCycleConfirmations
, the cycle is added tocycleToSave
.Finally,
processCycles(cycleToSave)
is called to process the cycle.
The Problem
The cycle added to cycleToSave
is simply the last cycle received, not necessarily the validated one. This means that the last validator to submit a cycle can modify its properties and force an incorrect cycle into the Archiver, potentially altering network parameters.
Exploitation Steps
Scenario
Assume minCycleConfirmations == 5
and there are five connected Validators, with only one being malicious.
Steps to Exploit
The first four Validators submit the correct cycle (
cycle.counter == x
,cycle.marker == y
).The malicious Validator submits a modified cycle while maintaining the same
cycle.counter
andcycle.marker
. For example, it could add an unauthorized Archiver.The Archiver receives the fake cycle and sees
receivedTimes == 5
, adding the newly received cycle tocycleToSave
.The Archiver processes the fake cycle (registering the unauthorized Archiver or modifying other network parameters, depending on the payload).
Impact
A malicious Validator can manipulate key network parameters, including node counts, Archivers, and more.
The Validator effectively gains control over the information processed by Archivers, allowing unauthorized data modifications.
The ability to register Archivers without Shardeum team approval is a critical security risk.
Proposed Fix
Modify how cycleToSave
is assigned:
Current (Vulnerable) Code:
Secure Fix:
Why This Works
The corrected version ensures that only the cycle that underwent validation is stored and processed, preventing last-minute tampering.
Proof of Concept
Proof of Concept (PoC)
Basically, all we need to do is create a malicious Validator to execute this attack, but to make the POC easier to perform, I added some additional logs to the Archiver for additional visibility, I suggest adding them as well.
In the collectCycleData
function add the following logs after the minCycleConfirmations
calculation:
Creating a Malicious Validator
Modify the core
repository with the following diffs:
Diff 1 - Adding a Custom Route to Modify the Cycle
Diff 2 - Enabling Cycle Modification
Diff 3 - Injecting Malicious Data into the Cycle
Executing the PoC
1. Setup
In the Archiver repo:
In the Core repo:
In the Shardeum repo:
2. Attack Execution
Start the system:
Monitor logs for:
Identify the Validator submitting the cycle second using:
Send a POST request to the malicious Validator’s new
blockian
route:
NOTE: cycle
can contain and false information, for this POC we simply change the maxSyncTime
.
5. Observe the Archiver accepting and storing the fake cycle without issues.
Was this helpful?