#40000 [BC-Critical] Improper input validation in fixDeserializedWrappedEVMAccount leads to DOS and total network shutdown
Submitted on Feb 12th 2025 at 13:48:37 UTC by @Blockian for Audit Comp | Shardeum: Core III
Report ID: #40000
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardeum/tree/bugbounty
Impacts:
Network not being able to confirm new transactions (total network shutdown)
Description
Note
This is the same bug that was already submitted in past contests, but was incorrectly fixed:34484 and 33941 As stated by you, all past reports expect those stated explicitly are in-scope.
Impact
Can be used to crash nodes.
Root Cause
The fixDeserializedWrappedEVMAccount
function, which is commonly used throughout shardeum
repositorie, does not perform validation on the passed data. It is possible to pass an "Array-like" object as the storageRoot
,codeHash
,codeByte
,value
, fields, which is accepted by Uint8Array.from
used by the fixWrappedEVMAccountBuffers
/ fixAccountFields
functions called from fixDeserializedWrappedEVMAccount
.
Attack Flow
A malicious user legitimately calls the
binary/repair_oos_accounts
handler, but with a malicious account data.The account data is not validated before being passed to
fixDeserializedWrappedEVMAccount
, and causes the node to crash
Deep Dive
Trigger flow
binary_repair_oos_accounts
handler accepts a payloadIt then iterates its
repairInstructions
and extracts data from each instruction
It then validates
targetNodeId
It then validates
accountId
It then validates
accountData.timestamp
It then validates
txId
It then validates
signedReceipt
with many validationsIt then validates
accountData.data
But not before calling
calculateAccountHash
Crash flow
fixDeserializedWrappedEVMAccount
in the case ofAccountType.Account
callsfixAccountFields
fixAccountFields
callsfixAccountUint8Arrays
fixAccountUint8Arrays
callsUint8Array.from
which accepts object withlength
field
Attack Flow
A malicious user asks a node to sign a staking certificate, also containing fields related to "remove-by-app" or "set-global".
The user then uses that certificate to remove a node or change the global account config, successfully passing signature validation.
Suggested Fix
Before calling Array.from
validate the type is not an object, everywhere in the code.
Severity
This is a total network shutdown which is critical.
In addition, this is the same as the past reports which were critical.
Proof of Concept
Proof of Concept
The POC is a combination of the [[#Trigger flow]] from [[#Deep Dive]] to show calculateAccountHash
can be reached by a malicious node, with a POC that shows calculateAccountHash
can be used to crash.
Apply the following changes to
shardeum
:
Apply the following changes to
core
:
Run a 10 nodes network (
shardus start 10
)Run a
json-rpc-server
Run the following attack script:
Was this helpful?