search
Active Boosts

#40692 [BC-High] Calling multiple withdrawals on a single transaction causes Signers to halt and the network to stop

Submitted on Mar 1st 2025 at 15:01:37 UTC by @vini_btc for Attackathon | Stacks IIarrow-up-right

  • Report ID: #40692

  • Report Type: Blockchain/DLT

  • Report severity: High

  • Target: https://github.com/stacks-network/sbtc/tree/immunefi_attackaton_1.0

  • Impacts:

    • Network not being able to confirm new transactions (total network shutdown)

hashtag
Description

hashtag
Brief/Intro

Multiple withdrawals called from the same transaction can cause Signers to halt, and mining to stop. This can be achieved by crafting a special contract that calls the sbtc initiate withdrawal function. A single contract call can call the withdrawal function 500+ times, which effectively "DOSes" the sbtc network 100%.

hashtag
Vulnerability Details

When multiple requests are started from a single transaction, the request-decider module of the signers quickly starts failing with:

2025-03-01 14:36:48 2025-03-01T13:36:48.088677424Z ERROR request-decider{public_key=02007311430123d4cad97f4f7e86e023b28143130a18099ecf094d36fef0f6135c}: signer::request_decider: error handling signer message error=received an error when attempting to query the database: error returned from database: insert or update on table "withdrawal_signers" violates foreign key constraint "withdrawal_signers_request_id_block_hash_fkey"

I also see a spam of logs looking like this in the Emily-Service:

and the monitor acuses a Stacks blockchain halt:

The actual transaction abusing the network never confirms (see screenshots).

A single transaction can have around ~550 calls to the initiate-withdrawal-request functionarrow-up-right. At the upper bound limit number of calls, the error can be triggered consistently.

At the lower bound, the error can never be reproduced. For example, the same contract triggering only 10 requests goes through fine and doesn't cause any problems in the network.

hashtag
Impact Details

Such a transaction would be extremely viable economically. The attacker could craft the request calls in a way that they'd never be fulfilled - by setting the amount to the minimum dust amount and/or setting the max fee to pay to 0. The price of such a transaction currently on Stacks would probably still be bellow 50$ easily. Multiple of these transactions could potentially be called in succession for a relatively low $ price given the potential impact: completely stopping the Stacks Network.

hashtag
References

n/a

hashtag
Link to Proof of Concept

https://gist.github.com/vini-btc/710583455a827257ab488e56f276503b

hashtag
Proof of Concept

hashtag
Proof of Concept

PreviousStacks II AttackathonNext#40655 [BC-Medium] Malicious signers can give different votes to other Signers to prevent sBTC withdrawal

Was this helpful?