#35526 [BC-Critical] An attacker can change the account balance after the transaction has been processed.
Submitted on Sep 26th 2024 at 13:11:33 UTC by @periniondon630 for Audit Comp | Shardeum: Core II
Report ID: #35526
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardus-core/tree/dev
Impacts:
Direct loss of funds
Description
Brief/Intro
An attacker's active node from the execution group can change the account balance after a transaction involving this account has been processed by the network.
Vulnerability Details
The P2P handler binary_repair_oos_accounts does not recalculate the proposalHash during the signature verification process from receipt.signaturePack. This vulnerability allows an attacker to modify account data and the corresponding afterStateHash in the receipt proposal, enabling the update of the account state on the validator node. For the attack to be successful, the attacker's node must be part of the execution group for the transaction.
Impact Details
An attacker can set the balance to any value for any account involved in transactions processed within the execution group in which the attacker's node is participating.
References
https://github.com/shardeum/shardus-core/blob/23e06ded6744d8521cff9d749c1f1dd482c5fcb6/src/state-manager/AccountPatcher.ts#L490
Link to Proof of Concept
https://gist.github.com/periniondon630/ee50d02c09c87fb97d31d53b1f1bd9cf
Proof of Concept
Proof of Concept
I’ve added a callback for the event when a transaction is archived, following the method outlined in the documentation. Apply the patch from the gist to the attacker's node, wait for it to become active, and then send a transaction. Check the attacker's node output log—it will display a message when the transaction is archived, indicate which account will be targeted (the first one is selected), and show the nodes to which requests will be sent. The final balance will be set to 100 coins.