This will lead to DoS attacks. The attacker can launch a large number of requests and specify an infinite timeout period. In this way, a large number of http requests in processing will appear in the worker, which may lead to problems such as memory overflow.
An attacker can set up a malicious web server to make the timeout period as long as possible, such as continuously writing data to the client to maintain the connection.
In addition, the Extension is ultimately run in the worker as a .so file, so the http request code is not executed in the VM, so the DoS cannot be prevented by paying gas.
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L100 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L184
Vulnerability details
Impact
An attacker can perform a DoS attack on a worker.
Proof of Concept
Pink Extension
provides two functions to make http requests: http_request batch_http_requestThe default timeout of
http_request
is 10 * 1000 ms.The problem is that
batch_http_request
can pass in a timeout of any value.batch_http_request
sets the maximum number of http requests to 5, but there is no limit to the timeout period:This will lead to DoS attacks. The attacker can launch a large number of requests and specify an infinite timeout period. In this way, a large number of http requests in processing will appear in the worker, which may lead to problems such as memory overflow.
An attacker can set up a malicious web server to make the timeout period as long as possible, such as continuously writing data to the client to maintain the connection.
In addition, the
Extension
is ultimately run in the worker as a.so
file, so the http request code is not executed in the VM, so the DoS cannot be prevented by paying gas.Tools Used
vscode, manual
Recommended Mitigation Steps
Assessed type
DoS