#39921 [BC-Critical] accountDeserializer isn't type safe
Previous39811 [BC-Critical] inducing large memory allocation via join endpointNext#39913 [BC-Medium] No rate Limiting in resource-intensive endpoint
Was this helpful?
Was this helpful?
Submitted on Feb 10th 2025 at 20:40:11 UTC by @riproprip for
Report ID: #39921
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardeum/tree/bugbounty
Impacts:
Network not being able to confirm new transactions (total network shutdown)
accountDeserializer allows to serialize plain objects as other object types. This than breaks later assumptions allowing us to allocate memory till the node breaks.
accountDeserializer is not type safe. Attackers can send plain objects mimicking as other objects. Those objects aren't ajv validated like the usual objects. They therefore wreak havoc on deeper functionality. The POC reaches a later Buffer.from that expects a string but then receives an Array like object.
Notice how in Reference [1] the prefix of the stream decides how the stream gets decoded. In the default case an attacker can claim to be of an accountType that is not default. This then is a problem in [2] when an array like objects get used to instantiate a Buffer.
Usually just the node process gets killed. In rare cases the OS also kills other processes.
[1] https://github.com/shardeum/shardeum/blob/167e48478403918468410dd7562929653d5b9f6b/src/types/Helpers.ts#L110-L113
[2] https://github.com/shardeum/shardeum/blob/167e48478403918468410dd7562929653d5b9f6b/src/state/transactionState.ts#L154
We are going to:
use shardus to start 11 nodes.
Then kill the Port 9011 node.
start json-rpc-server
Apply the patches to turn Port 9011 node into an attacking node
manually start 9011 node
wait till the node is active
inject a tx to 9011 node
wait the ~10 seconds it takes for it to attack other nodes