search
Active Boosts

#39191 [BC-Critical] JoinRoute: Attacker reachable input serialization

Submitted on Jan 24th 2025 at 12:04:06 UTC by @riproprip for Audit Comp | Shardeum: Core IIIarrow-up-right

  • Report ID: #39191

  • Report Type: Blockchain/DLT

  • Report severity: Critical

  • Target: https://github.com/shardeum/shardus-core/tree/bugbounty

  • Impacts:

    • Network not being able to confirm new transactions (total network shutdown)

hashtag
Description

hashtag
Brief/Intro

JoinRoute allows an attacker to oom reap a node.

hashtag
Vulnerability Details

JoinRoute trusts and serializes attacker controlled input before verifying the input.

The attacker can essentially describe in few bytes a memory structure that takes many bytes when serializing. This is a problem because it allows an attacker to allocate all the free memory till the OS has to step in and kill the process.

It seems that moving L85 to the front of the function and running it against the body would fix the problem. Not sure why shardeum is stringifying and parsing again in the first place?

hashtag
Impact Details

Usually just the node process gets killed. In rare cases the OS also kills other processes.

hashtag
References

The offendinglinearrow-up-right:

hashtag
Proof of Concept

hashtag
Proof of Concept

hashtag
Setup

  • Setup shardus and shardus start N instances.

  • Save attack code under /tmp/1_attack.js

  • install dependencies

hashtag
run

hashtag
notes

Please find attached the screenshot of my attack run.

You can see the node at port 9003 using more and more memory.

At a certain point the OS steps in to reap the process (dmesg part of screenshot).

Previous#39752 [BC-Insight] There is an issue related to incorrect version parsing and comparison logic lead to incorrect node validation,Next#39979 [BC-Critical] Total network shutdown via fixDeserializedWrappedEVMAccount call through binary_repair_oos_accounts endpoint

Was this helpful?