Closed sherlock-admin4 closed 4 months ago
Topic creation costs money, it has a fee, which will be tuned to prevent spam transactions
furthermore, each block has a block size cap so the log DoS attack proposed would require money to pull off and would be extremely obvious as you'd have to submit many many transactions with full blocks to have the logs fill.
That said, adding a limit for these parameters is not difficult so we do it here: https://github.com/allora-network/allora-chain/pull/468
The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/468
DoS not possible as topic creation costs money
pks_
High
Unlimited topic parameters size when creating topic can cause node DoS
Summary
Create topic action don't limit
topic.Metadata
andtopic.DefaultArg
parameters size may cause node DoS by increasing large log file.Vulnerability Detail
When creating topic by
CreateTopic
action, there is no any limit ontopic.Metadata
andtopic.DefaultArg
parameters size insidemsg.Validate
function:which means any users can create topic with large
topic.Metadata
andtopic.DefaultArg
parameters size. When process the txs, the chain scan all block txs and process inabci.go#EndBlocker
function of emissions module and log the id, metadata and defaultArgs parameters into log file:This cause one issue may cause node DoS: malicious users can create topic with large
topic.Metadata
andtopic.DefaultArg
parameters size by specify target chain node, then DelegateStake and RemoveDelegateStake with 1 wei as delegator, both the two functions have no amount size:so the cost is very low. Malicious users can repeat such attack crossing many blocks to increasing the node log file. The node may DoS if the log file is large enough.
Impact
Create topic action don't limit
topic.Metadata
andtopic.DefaultArg
parameters size may DoS node with large log file.Code Snippet
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/module/abci.go#L57-L60
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/keeper/msgserver/msg_server_topics.go#L14
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/types/msg_create_topic.go#L10
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/keeper/msgserver/msg_server_stake.go#L135
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/x/emissions/keeper/msgserver/msg_server_stake.go#L174
Tool used
vscode, Manual Review
Recommendation
Add strict parameters size validate inside topic validate function.