search

sherlock-audit / 2024-06-allora-judging

0 stars 0 forks source link

LZ_security - When a single node(blockless server) is attacked, the entire chain is attacked. #105

Closed sherlock-admin3 closed 3 months ago

sherlock-admin3 commented 3 months ago

LZ_security

Medium

When a single node(blockless server) is attacked, the entire chain is attacked.

Summary

When a single node(blockless server) is attacked, the entire chain is attacked.

Vulnerability Detail

topics_handler will make an http request to call the http api in blockless,

func makeApiCall(payload string) error {
    url := os.Getenv("BLOCKLESS_API_URL")
    method := "POST"

    client := &http.Client{}
    req, err := http.NewRequest(method, url, strings.NewReader(payload))
    if err != nil {
        return err
    }
    req.Header.Add("Accept", "application/json, text/plain, */*")
    req.Header.Add("Content-Type", "application/json;charset=UTF-8")

    res, err := client.Do(req)
    if err != nil {
        return err
    }
    defer res.Body.Close()

    return nil
}

It is often dangerous to initiate an http request in a node on a blockchain chain. However, because the operation here is performed in a PrepareProposalHandler, it may not result in direct state inconsistency between different nodes.

However, this can cause the following problems: If the url of the http request is hijacked and redirected to a malicious http server, it can cause the node to crash.

A malicious server can return a large amount of data, or return a continuous stream of data, causing the client to remain in a state of receiving data. A large number of client requests that cannot be completed can cause the client (verifier node) resource to be consumed or crash (The memory is insufficient or the number of threads has reached the maximum).

We believe blockless servers are trusted, but we cannot guarantee that blockless cannot be hacked, For example, DDoS attacks can slow down the speed of http, and if there are a large number of such requests in the node, the node will slow down the block production speed, or even stop. In addition, domain hijacking causes blockless to be executed with malicious server addresses.

Typically, blockchains are made up of many nodes, but problems with http requests can lead to problems with the entire chain because of security issues with a single blockless server.

Impact

If the blockless server is attacked or the domain name is hijacked, the entire chain will be attacked.

Code Snippet

https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/app/api.go#L166-L185

Tool used

Manual Review

Recommendation

Set timeout times for http requests and limit the size of the data to be accepted. Or cancel making http requests in node.

Duplicate of #47

sherlock-admin4 commented 3 months ago

1 comment(s) were left on this issue during the judging contest.

0xmystery commented:

No timeout limits are set in requests

sherlock-admin2 commented 2 months ago

The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/458