🛡️ Various prolog predicates lead to chain halt

[ccamel]

Severity: Critical target: v7.1.0 - Commit: 3c854270b006db30aa3894da2cdba10cc31b8c5f Ref: OKP4 Blockchain Audit Report v1.0 - 02-05-2024 - BlockApex

Description

The okp4d (now axoned) blockchain employs ichiban/prolog, a sophisticated engine designed to process the underlying Prolog interpreter with built-in and blockchain-native custom predicates. Prolog inherently exposes a variety of built-in predicates, which the blockchain leverages and further extends with its own custom predicates to enhance functionality. During our security audit, we undertook a methodical approach, deploying an extensive array of Prolog payloads to meet predefined audit objectives. This approach included crafting and testing various combinations of Prolog queries to determine their impact on network stability and performance.

Impact

Direct Query Exploitation Impact: The impact of exploiting direct RPC interfaces with computationally intensive Prolog queries is immediate and severe. When an exposed validator node receives such a query, it allocates excessive computational resources to process it, which can lead to resource exhaustion. This scenario not only degrades the performance of the affected node but, due to the interconnected nature of blockchain networks, can also lead to a cascading effect, impacting the network’s ability to produce and validate new blocks efficiently.

Malicious Validator Attack Impact: The introduction of a malicious transaction by a compromised validator represents a more insidious threat. In this scenario, the malicious code embedded within a smart contract can be executed network-wide, affecting every node that processes the transaction. This method of attack can lead to a more distributed impact, potentially causing a network-wide halt in block production. If a significant number of nodes are affected simultaneously, the blockchain's resilience is tested, risking a complete network shutdown.

Recommandation

TBC