Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Malicious validator can send fake block locator and halt the network(node is syncing) #3242

Open
feezybabee opened this issue May 1, 2024 · 5 comments
Open

[Bug] Malicious validator can send fake block locator and halt the network(node is syncing) #3242

feezybabee opened this issue May 1, 2024 · 5 comments
Assignees
@mdelle1
Labels
bug Incorrect or unexpected behavior

Comments

@feezybabee
Copy link

https://hackerone.com/reports/2481394

Summary:

Malicious validator send fake block locator and halt the network(node is syncing)

Steps To Reproduce:

  1. Use this branch.git clone git@github.com:ghostant-1017/mysnarkOS.git && git checkout attack/block-locator
  2. Start the devnet cd snarkos && ./devnet with 4 validators, 0 clients
  3. Observer the logs, we will find the 2024-04-28T05:47:13.565818Z DEBUG Skipping batch proposal (node is syncing) 2024-04-28T05:47:14.491356Z INFO @@@@@Recevied primary ping from '127.0.0.1:5000'..., height: 100

Logs:
image

Proof-of-Concept (PoC)

  1. Assume current_height = 100, malicious validators will forge block_locators at height = 200
  2. Honest validators will find themselves beind, and set is_synced true
  3. All validators will skip proposal since they are syncing, DEBUG Skipping batch proposal (node is syncing)

Impact

Malicious validator send fake block locator and halt the network(node is syncing)
@feezybabee feezybabee added the bug Incorrect or unexpected behavior label May 1, 2024
@vicsn
Copy link
Contributor

vicsn commented May 14, 2024

@niklaslong can you comment on this, since I believe we discussed this previously. Shouldn't the continued random sampling of peers ensure that a validator does not get stuck on malicious block_locators for too long?

@ghostant-1017
Copy link
Contributor

@niklaslong can you comment on this, since I believe we discussed this previously. Shouldn't the continued random sampling of peers ensure that a validator does not get stuck on malicious block_locators for too long?

It seems that the validator node will not sample peers to disconnect.

@niklaslong
Copy link
Collaborator

niklaslong commented May 16, 2024
edited

@ghostant-1017 If I'm reading this correctly, a single malicious validator is sufficient to reproduce the behaviour? I notice the height is also 0, is this a special case or is it reproducible with a non-empty chain state? Sync logic should contain redundancies (granted not up to quorum) against this type of attack already.

@ghostant-1017
Copy link
Contributor

@niklaslong You are right, single malicious validator is sufficient.
You can use that branch in the report, it's reproducible with a non-empty chain state.
Steps:

  1. ./devnet with 4 validators 0 client
  2. stop node0 and wait for other 3 nodes produce blocks
  3. restart node0, the network can not produce blocks anymore.

@ghostant-1017
Copy link
Contributor

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mdelle1 mdelle1

Labels
bug Incorrect or unexpected behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@niklaslong @vicsn @ghostant-1017 @mdelle1 @feezybabee