#38551 [BC-Medium] A signer can request stacks tx nonces in batches in advance and then DoS other signers' sBTC contract calls
Was this helpful?
Was this helpful?
Submitted on Jan 6th 2025 at 14:39:45 UTC by @f4lc0n for
Report ID: #38551
Report Type: Blockchain/DLT
Report severity: Medium
Target: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_0.9/signer
Impacts:
API crash preventing correct processing of deposits
When a signer acts as a coordinator, it will initiate some sBTC stacks contract calls.
The problem now is that the signer does not check the nonce of the stacks transaction requested by the coordinator. A malicious coordinator can request nonces in batches in advance, and then DoS their contract calls when other signers become coordinators.
For example, if the current nonce is 100, the attacker can request nonces 101...200 in advance when becoming a coordinator. Then, when another signer becomes a coordinator, the attacker submits a transaction with a nonce of 101 to DoS the current coordinator's transaction.
The signer/src/transaction_signer.rs::handle_stacks_transaction_sign_request
code is as follows.
It does not check request.nonce
and set it to the wallet's nonce.
The attacker can DoS other signers' Stacks transactions and can control whether deposits are executed or the order in which they are executed.
None
Base on: https://github.com/stacks-network/sbtc/releases/tag/0.0.9-rc4
Patch signer/src/config/mod.rs
, add attacker flag config
Patch signer/src/main.rs
, load attacker flag
Patch docker/docker-compose.yml
, add attacker flag
Patch signer/src/transaction_coordinator.rs
, add attack action.
Run docker
Patch signer/Cargo.toml
, add poc9
bin
Waiting for the sBTC contract to be deployed. Then run the poc9
tool. It will send 40 BTC to the signers BTC address and trigger deposits every 10 seconds
This PoC sets sbtc-signer-3 as the attacker. Once it is sbtc-signer-3's turn as the coordinator, it will request signatures for a batch of Stacks transactions with different nonces and submit them to the Stacks network every 1 second
Then, check the logs of sbtc-signer-1 and sbtc-signer-2, and you will find that the deposits Stacks transactions they submitted failed due to CONFLICTING_NONCE_IN_MEMPOOL
Add to signer/src/bin/poc9.rs