search
Active Boosts

33696 - [BC - Critical] Failure to validate golden ticket admin cert

hashtag
Failure to validate golden ticket admin cert

Submitted on Jul 26th 2024 at 22:15:30 UTC by @ZhouWu for Boost | Shardeum: Corearrow-up-right

Report ID: #33696

Report type: Blockchain/DLT

Report severity: Critical

Target: https://github.com/shardeum/shardus-core/tree/dev

Impacts:

  • Network not being able to confirm new transactions (total network shutdown)

  • Taking over majority of the network by single authority

  • Modification of transaction fees outside of design parameters

hashtag
Description

hashtag
Description

Failure to validate golden ticket admin cert leading to malicious node be able mark themselves golden to get into network bypassing selection algorithm altogether.

hashtag
Proof of Concept

  • Launch a legit shardeum network and enable all logs, that way you can verify the malicious node get into the network by golden ticket by checking legit node's logs. (Logs are not necessary for attack to work it's only for your own benefit to verify the attack work)

  • Apply the patch to shardus/core. This will be malicious node.

  • this patch make the malicious node mark itself as golden ticket node

  • build and link it to your malicious shardeum node

  • launch your malicious node

  • it'll bypass the selection algorithm and will get in to the network at the next cycle

  • If you enable logs in earlier step you can verify this by going into the logs of the legit nodes.

  • Please use appropriate log settings to confirm if you need more info.

hashtag
Impact

This vulnerability allows malicious agent to launch army of node and effectively take over the network. >51%.

hashtag
The reason why it happen

  • In shardus/core node were not properly validating the golden ticket admin cert. It was just checking if it's present or not. It should have checked if it's valid or not. see the codearrow-up-right

hashtag
Proof of Concept

  • Launch a legit shardeum network and enable all logs, that way you can verify the malicious node get into the network by golden ticket by checking legit node's logs. (Logs are not necessary for attack to work it's only for your own benefit to verify the attack work)

  • Apply the patch to shardus/core. This will be malicious node.

  • this patch make the malicious node mark itself as golden ticket node

  • build and link it to your malicious shardeum node

  • launch your malicious node

  • it'll bypass the selection algorithm and will get in to the network at the next cycle

  • If you enable logs in earlier step you can verify this by going into the logs of the legit nodes.

  • Please use appropriate log settings to confirm if you need more info.

Previous33655 - [BC - Critical] Complete shutdown of the transaction processing...Next33735 - [BC - Insight] Network split due to the sync issue in PP modul...

Last updated

Was this helpful?