Active Boosts

Stacks II Attackathon

Reports by Severity

High

  • #42747 [BC-High] Large BTC transactions with many sbtc deposits can permanently crash/halt all signers

  • #40692 [BC-High] Calling multiple withdrawals on a single transaction causes Signers to halt and the network to stop

  • #42752 [BC-High] Signer can be DOSed through their libp2p component

  • #40806 [BC-High] Users can submit deposits containing large `reclaim_scripts` to DoS Emily and Signers

Medium

  • #42773 [BC-Medium] Signers can be compromised by a libp2p DoS attack

  • #40731 [BC-Medium] A malicious signer can force a panic in the coordinator by sending `DkgFailure::BadPrivateShares` with an invalid signer ID

  • #42404 [BC-Medium] A signer can OOM kill other signers during DKG verification

  • #40655 [BC-Medium] Malicious signers can give different votes to other Signers to prevent sBTC withdrawal

  • #41111 [BC-Medium] A malicious signer could manipulate withdrawal decisions preventing accepted and rejected withdrawals from getting confirmed on Stacks chain

Low

  • #41014 [BC-Low] The signer can submit multi-tx first to make the coordinator's submission fail

  • #42764 [BC-Low] A BTC wallet on signer blocklists can cause network DoS

  • #40770 [BC-Low] Unvalidated withdrawal events allow data manipulation and denial of service in Emily

Insight

  • #41202 [BC-Insight] A malicious signer can force a failure of the signature round by providing a key ID they don't own

  • #41597 [BC-Insight] Emily server can crash their connected Stacks node when processing a large number of events

  • #42750 [BC-Insight] Subtraction overflow risk in WSTS FIRE coordinator

  • #41340 [BC-Insight] There is insecure Exposure of TRUSTED_REORG_API_KEY in Lambda and is can lead to Potential sBTC Withdrawal Manipulation

Reports by Type

Blockchain/DLT

  • #41014 [BC-Low] The signer can submit multi-tx first to make the coordinator's submission fail

  • #42747 [BC-High] Large BTC transactions with many sbtc deposits can permanently crash/halt all signers

  • #41202 [BC-Insight] A malicious signer can force a failure of the signature round by providing a key ID they don't own

  • #42773 [BC-Medium] Signers can be compromised by a libp2p DoS attack

  • #40692 [BC-High] Calling multiple withdrawals on a single transaction causes Signers to halt and the network to stop

  • #41597 [BC-Insight] Emily server can crash their connected Stacks node when processing a large number of events

  • #42752 [BC-High] Signer can be DOSed through their libp2p component

  • #40731 [BC-Medium] A malicious signer can force a panic in the coordinator by sending `DkgFailure::BadPrivateShares` with an invalid signer ID

  • #42764 [BC-Low] A BTC wallet on signer blocklists can cause network DoS

  • #42404 [BC-Medium] A signer can OOM kill other signers during DKG verification

  • #40770 [BC-Low] Unvalidated withdrawal events allow data manipulation and denial of service in Emily

  • #42750 [BC-Insight] Subtraction overflow risk in WSTS FIRE coordinator

  • #40806 [BC-High] Users can submit deposits containing large `reclaim_scripts` to DoS Emily and Signers

  • #40655 [BC-Medium] Malicious signers can give different votes to other Signers to prevent sBTC withdrawal

  • #41340 [BC-Insight] There is insecure Exposure of TRUSTED_REORG_API_KEY in Lambda and is can lead to Potential sBTC Withdrawal Manipulation

  • #41111 [BC-Medium] A malicious signer could manipulate withdrawal decisions preventing accepted and rejected withdrawals from getting confirmed on Stacks chain

Previous#37646 [BC-Insight] No implementation of BLOB_SIDECAR_SUBNET_COUNT with no issue and no PR in the GitHubNext#40692 [BC-High] Calling multiple withdrawals on a single transaction causes Signers to halt and the network to stop

Was this helpful?