39893 [W&A-Critical] malicious validator can modify txid in global transactions
#39893 [W&A-Critical] Malicious Validator Can Modify `txId` in Global Transactions
Submitted on Feb 9th 2025 at 23:31:53 UTC by @Blockian for Audit Comp | Shardeum: Ancillaries III
Report ID: #39893
Report Type: Websites and Applications
Report severity: Critical
Target: https://github.com/shardeum/archive-server/tree/itn4
Impacts:
Malicious interactions with an already-connected wallet, such as:
Modifying transaction arguments or parameters
Substituting contract addresses
Submitting malicious transactions
Description
Shardeum Ancillaries
Malicious Validator Can Modify txId
in Global Transactions
txId
in Global TransactionsDescription
When submitting a Global Transaction (Global Tx) Receipt, the transaction ID (txId
) is not included in the signed object that validators verify.
As a result, a malicious validator can alter the txId
field without invalidating the receipt, allowing them to:
Censor transactions by preventing specific
txId
s from being processed.
Root Cause
During signature verification in verifyAppliedReceiptSignatures
, the txId
is not part of the signed object for Global Transactions.
Relevant Code Snippet:
Here, tx
comes from receipt.signedReceipt
and is used for validation. However, unlike receipt.beforeStates
and receipt.afterStates
—which are properly validated in verifyGlobalTxAccountChange
—there is no validation ensuring that receipt.tx
remains unchanged.
This oversight allows an attacker to modify receipt.tx
while keeping the signature valid.
Impact
The primary risk is transaction censorship:
An attacker can modify
txId
s for transactions not yet processed by the archiver.When the legitimate transaction is eventually submitted, it will be rejected due to the
txId
being used already.
How to Censor
The Attacker needs to change the receipt.tx.txId
to the txId of the transaction they wish to censor and receipt.tx.timestamp
to the timestamp of the transaction they wish to censor, thus when the real transaction will be submitted it will skip it and wont save it.
Proposed Fix
To prevent this exploit, add a validation step to ensure receipt.tx
matches the values in receipt.signedReceipt
.
Proof of Concept
Proof of Concept
Since we only wish to demonstrate that the Global Transaction will be processed as normal, the following minimal POC should be enough.
The first transaction the Archiver recives after starting a network is a Global Transaction, so all we need to do is Apply the following diff on the Archiver:
Run the network as normal LOAD_JSON_CONFIGS=debug-10-nodes.config.json shardus start 10
and see the Archiver processes the transaction as expected. For further information you can also check the sqlite3 db after the transaction is processed and look for txId = "1000000000000000000000000000000000000000000000000000000000000011"
Was this helpful?