AleoNet
[Bug] A malicious validator can broadcast invalid BatchCertificate or Propose that cause other validators stack overflow
https://hackerone.com/reports/2279584
Summary:
The Primary recursively fetch certificates from other peer upon receiving new Propose and BatchCertificate . Although it will check the certificate before storing into db, the check is at end of the recursion.
A malicious validator can create fake certificate that contains other fake certificate at the same round. Then the recursion will never ends and lead to stack overflow. The call stack will be like this:
sync_with_certificate_from_peer
sync_with_batch_header_from_peer
sync_with_certificate_from_peer
....
The attacker can crash all other validator in this way.
Steps To Reproduce:
See the commit: https://github.com/Gooong/snarkOS/commit/3e7c6866203c02dd9db225f81d794ad9d2aae146
- Clone the repo above
- Run ./devnet.sh
- Wait round 5
- Check the log and we will find some node crashed:
fatal runtime error: stack overflow
Proof-of-Concept (PoC)
How this bug can be exploited:
The attacker just broadcast fake certificate. This will cause all other validator continously crash and shutdown the network.
Supporting Material/References:
See the attachment
Impact
Cause validators crash and shutdown the network.
Fix suggestions:
Strictly check certificate before the recursion.
This is a different, #2883 is mostly about deserialisation, here the root cause is recursively fetching certificates from peers.
I haven't yet been able to reproduce this bug with a single malicious validator in a cluster of 4. @feezybabee, were you running 4 malicious nodes at the same time?
I can reproduce it with a single malicious validator in 4 nodes. @niklaslong Make sure to start the malicious validator before round 5. Also, use the same snarkOS version.
