#38030 [BC-Insight] Coordinator can be crashed by signers on DKG
Was this helpful?
Was this helpful?
Submitted on Dec 22nd 2024 at 18:10:47 UTC by @n4nika for
Report ID: #38030
Report Type: Blockchain/DLT
Report severity: Insight
Target: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/signer
Impacts:
Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network
The wsts
library uses insecure array accesses, making it possible for a malicious signer to send certain packets to a coordinator during a DKG which cause the coordinator to panic.
I will put multiple instances of this in one issue since they all are only triggerable on DKG (which will not be triggered in the near future but this was explicitly mentioned by the team to still be desireable).
Instances:
wsts::fire.rs#L580
wsts::fire.rs#L626
wsts::fire.rs#L628
Further description:
Here we index dkg_public_shares[bad_signer_id]
. If a signer manages to get a malicious bad_signer_id
to this point, we will crash. This is the least likely case of the here mentioned cases but if a signer manages to have bad_signer_id
not in dkg_public_shares
, it is possible. While this is not easy, I wanted to mention it anyways for completeness
Here we index dkg_public_shares[src_party_id]
where we get src_party_id
by iterating over dkg_private_shares.shares
of which the integrity is NOT checked so this is directly exploitable by the attack described later
Here we index key_shares[key_id]
where key_shares
is also taken from dkg_private_shares.shares
making it a direct target for exploitation
In order to exploit this, a malicous signer needs to send a BadPrivateShare
to the coordinator which contains malformed shares
and adheres to the following restrictions:
tuple_proof
is valid
Replace all array accesses in the whole wsts
library using []
with .get
or equivalent methods and handle errors accordingly.
@djordon mentioned on discord that I don't need to provide a PoC for these since this report is supposed to be marked as Insight
anyways.