Active Boosts

32982 - [BC - Critical] Crashing all Validators Vulnerability in eth_g...

Submitted on Jul 9th 2024 at 02:18:11 UTC by @infosec_us_team for Boost | Shardeum: Core

Report ID: #32982

Report type: Blockchain/DLT

Report severity: Critical

Target: https://github.com/shardeum/shardus-core/tree/dev

Impacts:

  • Network not being able to confirm new transactions (total network shutdown)

Description

Brief/Intro

In this report, we demonstrate how sending one specially crafted HTTP request to any Validator can crash him (shut him down).

With a list of validator IPs, an attacker can crash all of them at any time.

Vulnerability Details

The vulnerability exists in the endpoint '/eth_getBlockByHash'. Below is the code for the function as a reference.

  shardus.registerExternalGet('eth_getBlockByHash', externalApiMiddleware, async (req, res) => {
    /* eslint-disable security/detect-object-injection */
    let blockHash = req.query.blockHash as string
    if (blockHash === 'latest') blockHash = readableBlocks[latestBlock].hash
    else if (blockHash.length !== 66 || !isHexString(blockHash))
      return res.json({ error: 'Invalid block hash' })
    if (ShardeumFlags.VerboseLogs) console.log('Req: eth_getBlockByHash', blockHash)
    const blockNumber = blocksByHash[blockHash]
    return res.json({ block: readableBlocks[blockNumber] })
    /* eslint-enable security/detect-object-injection */
  })

Outside of a try catch block, the endpoint attempts to access the value of the URL param blockHash, and then it tries to read its length.

If the param was not set, the variable blockHash will be of type undefined, and reading the length returns the error: Cannot read property 'length' of undefined, and stops the running process.

Attack Vector

Visiting the URL http://VALIDATOR_IP:9002/eth_getBlockByHash? (notice we are not providing the blockHash param), replacing VALIDATOR_IP with the IP address of any validator in the blockchain will crash him (shut him down).

Impact Details

Network not being able to confirm new transactions (total network shutdown)

Proof of Concept

For a proof of concept, follow the instructions to run the Shardeum server locally or remotely and visit the URL http://VALIDATOR_IP:9002/eth_getBlockByHash? replacing VALIDATOR_IP with the IP address.

The node will be shut down, any subsequent request to this IP and Port will fail, and the Network Monitor at http://VALIDATOR_IP:3000/ will show as well after a couple of minutes one less validator.

Previous32942 - [BC - Low] The ChainID and URL parameters that can modify ...Next32993 - [BC - Critical] Crashing Validators by triggering an uncaught e...

Last updated