#39395 [BC-Medium] got.get without response limit

Submitted on Jan 29th 2025 at 12:46:04 UTC by @riproprip for Audit Comp | Shardeum: Core III

• Report ID: #39395

• Report Type: Blockchain/DLT

• Report severity: Medium

• Target: https://github.com/shardeum/shardus-core/tree/bugbounty

• Impacts:

  • Network not being able to confirm new transactions (total network shutdown)

Description

Brief/Intro

Core uses the method get of the got module to initiate a http get. It does not limit the response size. This allows attackers to use up all the memory on the system till the node crashes.

Vulnerability Details

got.get should be called with a response limit. Since a limit is not supplied and got allows compressed responses, the counterparty can return a bunch of compressed 0s to use very little bandwith/transfer volume/resources to crash a node.

Please note that while the attacker does not initiate the attack itself, the victim has to make contact with rotating random nodes and at least one of the archivers to function (giving attackers the option to strike).

Impact Details

Usually just the node process gets killed. In rare cases the OS also kills other processes.

References

The offending line

Proof of Concept

Proof of Concept

I wasn't really sure what hurdle to jump here. Below we reroute all got requests to a malicious server. This server reroutes all requests to the intended counterparty, unless a got.get request was made and more than 120 seconds elapsed. In that case it sends the compressed 0's which crashes the node. Be careful when running the POC, your system will become unresponsive when all the memory is used till the OS steps in and reaps.

I attached a screenshot.

save as /tmp/malicious_server.js

save as /tmp/got.patch

save as /tmp/compressed_34.json

run