-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] A malicious validator can broadcast invalid BatchCertificate or Propose that cause other validators stack overflow #2935
Comments
Is this a duplicate of https://github.com/AleoHQ/snarkOS/issues/2883? |
This is a different, #2883 is mostly about deserialisation, here the root cause is recursively fetching certificates from peers. |
I haven't yet been able to reproduce this bug with a single malicious validator in a cluster of 4. @feezybabee, were you running 4 malicious nodes at the same time? |
I can reproduce it with a single malicious validator in 4 nodes. @niklaslong Make sure to start the malicious validator before round 5. Also, use the same snarkOS version. |
Reproduced, looking at a fix now. |
https://hackerone.com/reports/2279584
Summary:
The
Primary
recursively fetch certificates from other peer upon receiving newPropose
andBatchCertificate
. Although it will check the certificate before storing into db, the check is at end of the recursion.A malicious validator can create fake certificate that contains other fake certificate at the same round. Then the recursion will never ends and lead to stack overflow. The call stack will be like this:
The attacker can crash all other validator in this way.
Steps To Reproduce:
See the commit: Gooong@3e7c686
fatal runtime error: stack overflow
Proof-of-Concept (PoC)
How this bug can be exploited:
The attacker just broadcast fake certificate. This will cause all other validator continously crash and shutdown the network.
Supporting Material/References:
See the attachment
Impact
Cause validators crash and shutdown the network.
Fix suggestions:
Strictly check certificate before the recursion.
The text was updated successfully, but these errors were encountered: