search

sherlock-audit / 2024-05-aleo-judging

0 stars 0 forks source link

dtheo - Aleo prover/network DOS vector due to invalid `split` proofs being free to abuse #34

Open sherlock-admin4 opened 2 weeks ago

sherlock-admin4 commented 2 weeks ago

dtheo

High

Aleo prover/network DOS vector due to invalid split proofs being free to abuse

Summary

Split transactions that contain only 1 transition (the entire transaction is a single split transaction and nothing else) do not require a fee commitment. This allows for a malicious entity to grieve provers by forcing them to attempt and verify invalid proofs with no monetary loss. This can be used by competing provers to DOS their competition and waste CPU cycles that would otherwise be used towards the "mining/proving" the next block. A malicious actor attack multiple provers can significantly slow or stop aleo blocks from being created.

Vulnerability Detail

Aleo has fee, deploy and execute transaction types. If a deploy or an execute transaction type is broadcasted with an invalid proof or if the finalize fails then their corresponding fee transaction will be consumed instead. This is a DOS prevention feature that Aleo uses to prevent the network from having to verify proofs without some amount of collateral fee on the side.

Single split transactions, when called by users directly, are a special case where the there is no fee commitment required. Aleo attempts to charge the fee directly in the split function by burning it. The issue is that if there is not sufficient funds to pay the fee and the proof fails then their is no backup fee commitment to seize. This opens up the Aleo network to a DOS vector that that is nearly free to abuse.

An attacker must only pay the initial fees to make a large number of private records with at least 1 microcredit each. As long as they only use each credit once per block , they can reuse the records to to make invalid proofs that will pass all of the transaction prechecks in check_fee, check_transaction, etc. until the proof verification is attempted and CPU cycles are wasted.

Impact

This can be used to DOS Aleo provers by other provers competing to solve the Aleo Coinbase Puzzle (and gain rewards). If a malicious entity attacked all provers at the same time the Aleo network would stop producing blocks during this time.

Code Snippet

snarkVM/synthesizer/src/vm/verify.rs#L225-L248

snarkVM/synthesizer/program/src/resources/credits.aleo#L947-L972)

Tool used

Manual Review

Recommendation

Require a fee commitment outside of the split transaction than can be verified quickly in the transaction precheck/speculation flow.

sammy-tm commented 1 week ago

@evanmarshall

Can you tell us your thoughts about this issue?