Active Boosts

33277 - [BC - Critical] Validators can be crashed via GET

Submitted on Jul 17th 2024 at 03:26:00 UTC by @usmannk for Boost | Shardeum: Core

Report ID: #33277

Report type: Blockchain/DLT

Report severity: Critical

Target: https://github.com/shardeum/shardeum/tree/dev

Impacts:

  • Network not being able to confirm new transactions (total network shutdown)

Description

Brief/Intro

Simply calling the default endpoint eth_getBlockByHash with no params causes a node to crash and die permanently.

By looping this over the network, an attacker can halt all transactions.

Proof of Concept

  • Run a local cluster:

    • $ shardus start 10

  • Pick a node, say, 9001.

  • Crash the node by navigating to http://localhost:9001/eth_getBlockByHash and not providing parameters

  • Go to http://127.0.0.1:4000/nodelist and observe that the node is offline

Previous33254 - [BC - Medium] The signature used to Gossip an UnjoinRequest h...Next33278 - [BC - Critical] Improper input validation leads to DOS and tota...

Last updated