Was this helpful?
Submitted on Jan 24th 2025 at 12:04:06 UTC by @riproprip for
Report ID: #39191
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardus-core/tree/bugbounty
Impacts:
Network not being able to confirm new transactions (total network shutdown)
JoinRoute allows an attacker to oom reap a node.
JoinRoute trusts and serializes attacker controlled input before verifying the input.
The attacker can essentially describe in few bytes a memory structure that takes many bytes when serializing. This is a problem because it allows an attacker to allocate all the free memory till the OS has to step in and kill the process.
It seems that moving L85 to the front of the function and running it against the body would fix the problem. Not sure why shardeum is stringifying and parsing again in the first place?
Usually just the node process gets killed. In rare cases the OS also kills other processes.
Setup shardus and shardus start N instances.
Save attack code under /tmp/1_attack.js
install dependencies
Please find attached the screenshot of my attack run.
You can see the node at port 9003 using more and more memory.
At a certain point the OS steps in to reap the process (dmesg part of screenshot).
The offending:
