# 32982 - \[BC - Critical] Crashing all Validators Vulnerability in eth\_g...

Submitted on Jul 9th 2024 at 02:18:11 UTC by @infosec\_us\_team for [Boost | Shardeum: Core](https://immunefi.com/bounty/shardeum-core-boost/)

Report ID: #32982

Report type: Blockchain/DLT

Report severity: Critical

Target: <https://github.com/shardeum/shardus-core/tree/dev>

Impacts:

* Network not being able to confirm new transactions (total network shutdown)

## Description

## Brief/Intro

In this report, we demonstrate how sending one specially crafted HTTP request to any Validator can crash him (shut him down).

With a list of validator IPs, an attacker can crash all of them at any time.

## Vulnerability Details

The vulnerability exists in the endpoint '/eth\_getBlockByHash'. Below is the code for the function as a reference.

```
  shardus.registerExternalGet('eth_getBlockByHash', externalApiMiddleware, async (req, res) => {
    /* eslint-disable security/detect-object-injection */
    let blockHash = req.query.blockHash as string
    if (blockHash === 'latest') blockHash = readableBlocks[latestBlock].hash
    else if (blockHash.length !== 66 || !isHexString(blockHash))
      return res.json({ error: 'Invalid block hash' })
    if (ShardeumFlags.VerboseLogs) console.log('Req: eth_getBlockByHash', blockHash)
    const blockNumber = blocksByHash[blockHash]
    return res.json({ block: readableBlocks[blockNumber] })
    /* eslint-enable security/detect-object-injection */
  })
```

Outside of a `try catch` block, the endpoint attempts to access the value of the URL param **blockHash**, and then it tries to read its length.

If the param was not set, the variable blockHash will be of type `undefined`, and reading the length returns the error: *Cannot read property 'length' of undefined*, and stops the running process.

## Attack Vector

Visiting the URL *<http://VALIDATOR\\_IP:9002/eth\\_getBlockByHash>?* (notice we are not providing the `blockHash` param), replacing VALIDATOR\_IP with the IP address of any validator in the blockchain will crash him (shut him down).

## Impact Details

Network not being able to confirm new transactions (total network shutdown)

## Proof of Concept

For a proof of concept, follow the instructions to run the Shardeum server locally or remotely and visit the URL *<http://VALIDATOR\\_IP:9002/eth\\_getBlockByHash>?* replacing VALIDATOR\_IP with the IP address.

The node will be shut down, any subsequent request to this IP and Port will fail, and the Network Monitor at <http://VALIDATOR\\_IP:3000/> will show as well after a couple of minutes one less validator.