Permanent freezing of funds (fix requires hardfork)
API crash preventing correct processing of deposits
Description
Brief/Intro
The /new_block api of Signer receives each block of Stacks and reads the events in it. Signer uses the axum::http package to run the api http service. The of axum::http is 2M.
Attackers can emit more than 2M events in a Stacks block to make the Stacks node fail to access the Signer's /new_block. Then the Stacks node will make requests infinitely and fail infinitely, and the Signer will never be able to obtain new Stacks block events.
Vulnerability Details
The axum::extract::DefaultBodyLimit docs is as follows.
For security reasons, Bytes will, by default, not accept bodies larger than 2MB. This also applies to extractors that uses Bytes internally such as String, Json, and Form.
The signer/src/api/new_block.rs::new_block_handler code is as follows.
/// A handler of `POST /new_block` webhook events.
///
/// # Notes
///
/// The event dispatcher functionality in a stacks node attempts to send
/// the payload to all interested observers, one-by-one. If the node fails
/// to connect to one of the observers, or if the response from the
/// observer is not a 200-299 response code, then it sleeps for 1 second
/// and tries again[^1]. From the looks of it, the node will not stop
/// trying to send the webhook until there is a success. Because of this,
/// unless we encounter an error where retrying in a second might succeed,
/// we will return a 200 OK status code.
///
/// TODO: We need to be careful to only return a non success status code a
/// fixed number of times.
///
/// [^1]: <https://github.com/stacks-network/stacks-core/blob/09c4b066e25104be8b066e8f7530ff0c6df4ccd5/testnet/stacks-node/src/event_dispatcher.rs#L317-L385>
#[tracing::instrument(skip_all, name = "new-block")]
pub async fn new_block_handler(state: State<ApiState<impl Context>>, body: String) -> StatusCode {
tracing::debug!("received a new block event from stacks-core");
metrics::counter!(
Metrics::BlocksObservedTotal,
"blockchain" => STACKS_BLOCKCHAIN,
)
.increment(1);
According to the comment, we can know that Stacks node will retry infinitely until it successfully accesses the /new_block api of Signer.
Impact Details
Signer will never receive events from Stacks again. The specific impacts are as follows:
Since it cannot receive the WithdrawalCreate event, the Signer will not process the user's withdrawal request. The user's sBTC will be frozen.
Since it cannot receive the KeyRotation event, the Signer will not receive the new rotate_key. Then the Signer will process the deposits.
Since it freezes the user's funds, but it is temporary, I consider this a High.
References
None
Proof of Concept
Proof of Concept
Add some log to signer/src/api/new_block.rs. The log will print each new stacks block received
let new_block_event: NewBlockEvent = match serde_json::from_str(&body) {
Ok(value) => value,
// If we are here, then we failed to deserialize the webhook body
// into the expected type. It's unlikely that retying this webhook
// will lead to success, so we log the error and return `200 OK` so
// that the node does not retry the webhook.
Err(error) => {
tracing::error!(%body, %error, "could not deserialize POST /new_block webhook:");
return StatusCode::OK;
}
};
+ tracing::info!("@audit; new_block_event.block_height: {:?}", new_block_event.block_height);
// Although transactions can fail, only successful transactions emit
// sBTC print events, since those events are emitted at the very end of
Add a test address to docker/stacks/stacks-regtest-miner.toml. Please replace it with your wallet address!
[[ustx_balance]]
# This is a 2-3 multi-sig address controlled using the above three
# addresses. The above three accounts are also in the
# `docker/sbtc/signer/README.md` file, and the resulting multi-sig address
# below was created using the SignerWallet struct.
address = "SN3R84XZYA63QS28932XQF3G1J8R9PC3W76P9CSQS"
amount = 10000000000000000
+
+[[ustx_balance]]
+# Please replace it with your wallet address!
+address = "STHKP28RMWC458D0H7TP3SR88ZSDGB7KKV7T23KV" # auditor test address
+amount = 10000000000000000
Build docker
make devenv-up
make devenv-down
docker compose -f docker/docker-compose.yml --profile default --profile bitcoin-mempool --profile sbtc-signer build
make devenv-up
