libp2p nodes vulnerable to OOM attack

[scacaca]

Summary

This can occur because when a signed peer record is received, only the signature validity check is performed but the sender signature is not checked. Signed peer records from randomly generated peers can be sent by a malicious actor. A target node will accept the peer record as long as the signature is valid, and then stored in the peer store.

Expected behavior

reject peer on peer ID mismatch

Actual behavior

saved the mismatched peer

Relevant log output

Possible Solution

reject peer on peer ID mismatch

Version

No response

Would you like to work on fixing this bug ?

Yes