sherlock-admin3
commented
3 months ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
Malicious node could cause http request to not execute
Open sherlock-admin2 opened 3 months ago
sherlock-admin3
commented
3 months ago 1 comment(s) were left on this issue during the judging contest.
0xmystery commented:
Malicious node could cause http request to not execute
sherlock-admin2
commented
2 months ago The protocol team fixed this issue in the following PRs/commits: https://github.com/allora-network/allora-chain/pull/458
LZ_security
Medium
The malicious node may not execute the http request
Summary
Vulnerability Detail
topics_handler will make an http request to call the http api in blockless,
It is often dangerous to initiate an http request in a node on a blockchain chain. However, because the operation here is performed in a PrepareProposalHandler, it may not result in direct state inconsistency between different nodes.
But the problem here is that the malicious node can not perform this operation, so blockless can not receive http requests.
Because other nodes have no way of knowing whether the http request can be successfully executed, the http request may fail due to network problems.
Therefore, the malicious node can choose not to execute the http request, so that he can save server-side resources, or in the purpose of attack.
Impact
The api in blockless cannot be invoked because the malicious node does not execute the http request,causing the protocol to fail to work or affecting blockless working efficiency.
Code Snippet
https://github.com/sherlock-audit/2024-06-allora/blob/main/allora-chain/app/api.go#L166-L185
Tool used
Manual Review
Recommendation
Let blockless query data from the chain instead of the node on the chain calling blockless.