Network not being able to confirm new transactions (total network shutdown)
Description
Brief/Intro
Core uses the method get of the got module to initiate a http get.
It does not limit the response size. This allows attackers to use up all the memory on the system till the node crashes.
Vulnerability Details
got.get should be called with a response limit. Since a limit is not supplied and got allows compressed responses, the counterparty can return a bunch of compressed 0s to use very little bandwith/transfer volume/resources to crash a node.
Please note that while the attacker does not initiate the attack itself, the victim has to make contact with rotating random nodes and at least one of the archivers to function (giving attackers the option to strike).
Impact Details
Usually just the node process gets killed. In rare cases the OS also kills other processes.
I wasn't really sure what hurdle to jump here. Below we reroute all got requests to a malicious server. This server reroutes all requests to the intended counterparty, unless a got.get request was made and more than 120 seconds elapsed. In that case it sends the compressed 0's which crashes the node. Be careful when running the POC, your system will become unresponsive when all the memory is used till the OS steps in and reaps.
git clone https://github.com/shardeum/shardeum.git
cd shardeum && git checkout tags/bugbounty
nvm use 18.19.1
npm ci
git apply debug-10-nodes.patch ( keeping the mode in release )
src/config/index.ts -> flexibleRotationDelta: 0
npm run prepare
npm install -g shardus
npm update @shardus/archiver
git apply /tmp/got.patch
nohup node /tmp/malicious_server.js gotget &
shardus start 1 # could also use something else (POC won't break till over 99 due to port remapping)
