Last updated
Was this helpful?
Submitted on Jul 9th 2024 at 02:18:11 UTC by @infosec_us_team for
Report ID: #32982
Report type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardus-core/tree/dev
Impacts:
Network not being able to confirm new transactions (total network shutdown)
In this report, we demonstrate how sending one specially crafted HTTP request to any Validator can crash him (shut him down).
With a list of validator IPs, an attacker can crash all of them at any time.
The vulnerability exists in the endpoint '/eth_getBlockByHash'. Below is the code for the function as a reference.
Outside of a try catch block, the endpoint attempts to access the value of the URL param blockHash, and then it tries to read its length.
If the param was not set, the variable blockHash will be of type undefined, and reading the length returns the error: Cannot read property 'length' of undefined, and stops the running process.
Visiting the URL http://VALIDATOR_IP:9002/eth_getBlockByHash? (notice we are not providing the blockHash param), replacing VALIDATOR_IP with the IP address of any validator in the blockchain will crash him (shut him down).
Network not being able to confirm new transactions (total network shutdown)
For a proof of concept, follow the instructions to run the Shardeum server locally or remotely and visit the URL http://VALIDATOR_IP:9002/eth_getBlockByHash? replacing VALIDATOR_IP with the IP address.
The node will be shut down, any subsequent request to this IP and Port will fail, and the Network Monitor at http://VALIDATOR_IP:3000/ will show as well after a couple of minutes one less validator.
