# 32982 - \[BC - Critical] Crashing all Validators Vulnerability in eth\_g...

Submitted on Jul 9th 2024 at 02:18:11 UTC by @infosec\_us\_team for [Boost | Shardeum: Core](https://immunefi.com/bounty/shardeum-core-boost/)

Report ID: #32982

Report type: Blockchain/DLT

Report severity: Critical

Target: <https://github.com/shardeum/shardus-core/tree/dev>

Impacts:

* Network not being able to confirm new transactions (total network shutdown)

## Description

## Brief/Intro

In this report, we demonstrate how sending one specially crafted HTTP request to any Validator can crash him (shut him down).

With a list of validator IPs, an attacker can crash all of them at any time.

## Vulnerability Details

The vulnerability exists in the endpoint '/eth\_getBlockByHash'. Below is the code for the function as a reference.

```
  shardus.registerExternalGet('eth_getBlockByHash', externalApiMiddleware, async (req, res) => {
    /* eslint-disable security/detect-object-injection */
    let blockHash = req.query.blockHash as string
    if (blockHash === 'latest') blockHash = readableBlocks[latestBlock].hash
    else if (blockHash.length !== 66 || !isHexString(blockHash))
      return res.json({ error: 'Invalid block hash' })
    if (ShardeumFlags.VerboseLogs) console.log('Req: eth_getBlockByHash', blockHash)
    const blockNumber = blocksByHash[blockHash]
    return res.json({ block: readableBlocks[blockNumber] })
    /* eslint-enable security/detect-object-injection */
  })
```

Outside of a `try catch` block, the endpoint attempts to access the value of the URL param **blockHash**, and then it tries to read its length.

If the param was not set, the variable blockHash will be of type `undefined`, and reading the length returns the error: *Cannot read property 'length' of undefined*, and stops the running process.

## Attack Vector

Visiting the URL *<http://VALIDATOR\\_IP:9002/eth\\_getBlockByHash>?* (notice we are not providing the `blockHash` param), replacing VALIDATOR\_IP with the IP address of any validator in the blockchain will crash him (shut him down).

## Impact Details

Network not being able to confirm new transactions (total network shutdown)

## Proof of Concept

For a proof of concept, follow the instructions to run the Shardeum server locally or remotely and visit the URL *<http://VALIDATOR\\_IP:9002/eth\\_getBlockByHash>?* replacing VALIDATOR\_IP with the IP address.

The node will be shut down, any subsequent request to this IP and Port will fail, and the Network Monitor at <http://VALIDATOR\\_IP:3000/> will show as well after a couple of minutes one less validator.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/shardeum-core/32982-bc-critical-crashing-all-validators-vulnerability-in-eth_g....md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.