Network not being able to confirm new transactions (total network shutdown)
Description
Brief/Intro
This report will describe how sending a maliciously crafted HTTP POST request to the vulnerable "join" endpoint crashes the validator due to an uncaught exception.
The most basic impact will be a total network shutdown by crashing all validators, rated as "Critical" in the Impacts in Scope table.
With more time to play with the codebase, we could try to control the entire consensus by shutting down all validators in Standby except ours, but "total network shutdown" is already at the highest severity level so we think is best to invest time doing more research in the codebase and providing as much value as possible to your team than escalating an attack vector that is already catastrophic for the network.
Snippet of code from: https://github.com/shardeum/shardus-core/blob/dev/src/p2p/Join/routes.ts#L65-L209
The endpoint accepts an HTTP POST request with a JSON object in the body that is parsed as a string, then converted to a JSON object, and assigned to a constant joinRequest of type JoinRequest.
Because the core logic of the join handler is not inside a try-catch block, when the body of the HTTP POST request is empty, the function crashes and the validator goes down under the status "errored.
The status of each instance can be verified by running the command: shardus list-net or shardus pm2 list
Observations in our tests
In our tests, we started 20 validators in a network with a configuration that requires/"desires" only 10 validators, to have some backups on standby, waiting to join.
After waiting a few minutes so they all sync, the column Desired of the monitor server at port :3000 shows the value of 10, as expected.
After crashing several validator instances by exploiting the attack described in this report, waiting a few minutes and crashing more validators, the column Desired goes from 10 to 0, and the network shuts down itself.
Impact Details
Ability to crash all validators, leading to the network not being able to confirm new transactions
Proof of Concept
This is a very easy-to-reproduce proof of concept, we created a short javascript snippet that you can run even in your browser console, to exploit a victim validator.
fetch("http://VALIDATOR_EXTERNAL_IP:VALIDATOR_EXTERNAL_PORT/join/", options).then(response => { if (!response.ok) { throw new Error('Network response was not ok');}return response.json();}).then(data => {console.log('Success:', data);}).catch(error => {console.error('Error:', error);});
Replace VALIDATOR_EXTERNAL_IP and VALIDATOR_EXTERNAL_PORT with the IP and Port of the target.
After running the query with as many validators as desired, run the command shardus pm2 list to check their status.
They will displayed as errored.
If any of them is not, wait a few minutes and run it again.
