Network not being able to confirm new transactions (total network shutdown)
Description
Brief/Intro
The DKG verification state machine stores WSTS messages in Vecs of queued messages, but does not discard these messages after they have been processed. Signers can exploit this during DKG verification by holding up the verification process and filling the queued message Vecs of other signers with bogus messages. This can lead to an out of memory (OOM) kill of any signer by a malcious signer during the DKG verification process, shutting down the network.
Vulnerability Details
The main vulnerability lies in signer/src/dkg/verification.rs. In the function process_queued_messages, rather than removing old messages from the wsts_messages HashMap that have been processed, they simply get marked as processed and remain in their current Vec:
// Process all of the messages that we determined could be processed.formsginmessages{// Mark the message as processed so that even if it fails we don't// try to process it again.msg.mark_processed();// ...}
There are numerous ways that a signer can hold up the DKG verification process in order to flood other signers with bogus messages and OOM kill them. A couple of these methods are shown in the PoC. The approaches shown in the PoC are:
If the signer is a coordinator, they can withhold the SignatureShareRequest and instead spam other signers with bogus SignatureShareResponse messages
If the signer is not a coordinator, they can withhold their NonceResponse and instead spam other signers with bogus SignatureShareResponse messages
The malicious signer simply needs to fill the Vecs of other signers to the point of OOM killing them, before the DKG verification round times out. Additionally, they can have multiple chances at this since many DKG verification state machines can be present in memory (in signer/src/transaction_signer.rs), allowing plenty of time to OOM kill signers:
Impact Details
Because a single signer is capable of OOM killing any other signer during the DKG verification process, the malicious signer can shut down the network. I classify this as "Network not being able to confirm new transactions (total network shutdown)"
Commit on branch: https://github.com/stacks-network/sbtc/commit/79e0caf06f079cee08831fdc13d21de5459170b9
Proof of Concept
First add the following printing to show that the exploited Vec length is growing in the logs:
Now, apply the modifications of each approach separately below, then do the following after applying each modification:
Approach 1: Coordinator
For this example just assume that the first coordinator is the malicious one (the subsequent coordinators will act maliciously too, but we only need to see it happen once). In this approach, the coordinator holds up DKG verification by withholding the SignatureShareRequest, instead spamming the signers with large SignatureShareResponse messages.
Approach 2: Any Signer
In this approach, any signer can hold up the DKG verification process by withholding their NonceResponse message, then once again spamming all signers with bogus SignatureShareResponse messages. In this case, signer_id == 2 is assigned as the malicious signer.
Expected Results
Look at the logs of signer 3, for example:
With both approaches, a message similar to this should appear in the logs for the signers:
The attack PoC is limited to just 100 messages here, but more could be sent to cause an OOM kill.
