Was this helpful?
Submitted on Feb 7th 2025 at 21:48:26 UTC by @ZhouWu for
Report ID: #39811
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardus-core/tree/bugbounty
Impacts:
Network not being able to confirm new transactions (total network shutdown)
In core code there's a http POST endpoint called '/join'. The endpoint handler for some reason will try to stringify the http body and parse it again. The problem lies within these custom stringify function. The buggy stringify function will try to stringify a buffer object with the supplied length without actually checking if the content are actually valid. This lead to extremely large memory allocation of node and eventually crashing.
This is the affected area of code in src/p2p/Join/routes.ts
Launch a local network to act as legitimate network.
create a folder to save our exploit script mkdir exploit and cd exploit
Create a file called exploit.js with the following content:
Save the following content in package.json
Wait for node to come online.
Run the following command to install the dependencies npm install
Run the following command to execute the exploit node exploit.js <ip> <port>. Example node exploit.js 0.0.0.0 9008
Check the memory of the node via shardus cli or task manager it'll have multi gigabytes of memory.
Large memory allocation in node process eventually leading to node crash. Can be used to perform a denial of service attack to the whole network. Total Network shutdown.
