# #38030 \[BC-Insight] Coordinator can be crashed by signers on DKG **Submitted on Dec 22nd 2024 at 18:10:47 UTC by @n4nika for** [**Attackathon | Stacks**](https://immunefi.com/audit-competition/stacks-attackathon-1) * **Report ID:** #38030 * **Report Type:** Blockchain/DLT * **Report severity:** Insight * **Target:** * **Impacts:** * Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network ## Description ## Summary The `wsts` library uses insecure array accesses, making it possible for a malicious signer to send certain packets to a coordinator during a DKG which cause the coordinator to panic. ## Finding Description I will put multiple instances of this in one issue since they all are only triggerable on DKG (which will not be triggered in the near future but this was explicitly mentioned by the team to still be desireable). Instances: 1. `wsts::fire.rs#L580` 2. `wsts::fire.rs#L626` 3. `wsts::fire.rs#L628` Further description: 1. Here we index `dkg_public_shares[bad_signer_id]`. If a signer manages to get a malicious `bad_signer_id` to this point, we will crash. This is the least likely case of the here mentioned cases but if a signer manages to have `bad_signer_id` not in `dkg_public_shares`, it is possible. While this is not easy, I wanted to mention it anyways for completeness 2. Here we index `dkg_public_shares[src_party_id]` where we get `src_party_id` by iterating over `dkg_private_shares.shares` of which the integrity is NOT checked so this is directly exploitable by the attack described later 3. Here we index `key_shares[key_id]` where `key_shares` is also taken from `dkg_private_shares.shares` making it a direct target for exploitation ### Exploiting 2) and 3) In order to exploit this, a malicous signer needs to send a `BadPrivateShare` to the coordinator which contains malformed `shares` and adheres to the following restrictions: * `tuple_proof` is valid ## Mitigation Replace all array accesses in the whole `wsts` library using `[]` with `.get` or equivalent methods and handle errors accordingly. ## Proof of Concept ## PoC @djordon mentioned on discord that I don't need to provide a PoC for these since this report is supposed to be marked as `Insight` anyways. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/stacks-i-attackathon/38030-bc-insight-coordinator-can-be-crashed-by-signers-on-dkg.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.