Network not being able to confirm new transactions (total network shutdown)
Description
Brief/Intro
A prototype pollution vulnerability has been discovered in the get_tx_timestamp handler of the state-manager module. This vulnerability allows an attacker to manipulate the Object prototype, potentially leading to active node shutdown, slashing of the active node for early leave. If exploited in production/mainnet, this flaw could cause significant disruption and compromise the security of the system.
Vulnerability Details
The vulnerability exists in the following code snippet:
generateTimestampReceipt(
txId: string,
cycleMarker: string,
cycleCounter: CycleRecord['counter']
): TimestampReceipt {
const tsReceipt: TimestampReceipt = {
txId,
cycleMarker,
cycleCounter,
// shardusGetTime() was replaced with shardusGetTime() so we can have a more reliable timestamp consensus
timestamp: shardusGetTime(),
}
const signedTsReceipt = this.crypto.sign(tsReceipt)
/* prettier-ignore */ this.mainLogger.debug(`Timestamp receipt generated for txId ${txId}: ${utils.stringifyReduce(signedTsReceipt)}`)
// caching ts receipt for later nodes
if (!this.txTimestampCache[signedTsReceipt.cycleCounter]) {
this.txTimestampCache[signedTsReceipt.cycleCounter] = {}
}
// cache to txId map
this.txTimestampCache[signedTsReceipt.cycleCounter][txId] = signedTsReceipt
if (Context.config.p2p.timestampCacheFix) {
// eslint-disable-next-line security/detect-object-injection
this.txTimestampCacheByTxId[txId] = signedTsReceipt
this.seenTimestampRequests[txId] = true
}
/* prettier-ignore */ this.mainLogger.debug(`Timestamp receipt cached for txId ${txId} in cycle ${signedTsReceipt.cycleCounter}: ${utils.stringifyReduce(signedTsReceipt)}`)
return signedTsReceipt
}
Function is called from get_tx_timestamp handler, all parameters are coming from user controlled input and can be crafted to include special properties such as __proto__, allowing an attacker to manipulate the Object prototype. Here is get_tx_timestamp code: