Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Malicious validator can send fake block locator and halt the network(node is syncing) #3242

Open
feezybabee opened this issue May 1, 2024 · 9 comments
Assignees
Labels
bug Incorrect or unexpected behavior

Comments

@feezybabee
Copy link

https://hackerone.com/reports/2481394

Summary:

Malicious validator send fake block locator and halt the network(node is syncing)

Steps To Reproduce:

  1. Use this branch.git clone git@github.com:ghostant-1017/mysnarkOS.git && git checkout attack/block-locator
  2. Start the devnet cd snarkos && ./devnet with 4 validators, 0 clients
  3. Observer the logs, we will find the 2024-04-28T05:47:13.565818Z DEBUG Skipping batch proposal (node is syncing) 2024-04-28T05:47:14.491356Z INFO @@@@@Recevied primary ping from '127.0.0.1:5000'..., height: 100

Logs:
image

Proof-of-Concept (PoC)

  1. Assume current_height = 100, malicious validators will forge block_locators at height = 200
  2. Honest validators will find themselves beind, and set is_synced true
  3. All validators will skip proposal since they are syncing, DEBUG Skipping batch proposal (node is syncing)

Impact

Malicious validator send fake block locator and halt the network(node is syncing)

@feezybabee feezybabee added the bug Incorrect or unexpected behavior label May 1, 2024
@vicsn
Copy link
Collaborator

vicsn commented May 14, 2024

@niklaslong can you comment on this, since I believe we discussed this previously. Shouldn't the continued random sampling of peers ensure that a validator does not get stuck on malicious block_locators for too long?

@ghostant-1017
Copy link
Contributor

@niklaslong can you comment on this, since I believe we discussed this previously. Shouldn't the continued random sampling of peers ensure that a validator does not get stuck on malicious block_locators for too long?

It seems that the validator node will not sample peers to disconnect.

@niklaslong
Copy link
Collaborator

niklaslong commented May 16, 2024

@ghostant-1017 If I'm reading this correctly, a single malicious validator is sufficient to reproduce the behaviour? I notice the height is also 0, is this a special case or is it reproducible with a non-empty chain state? Sync logic should contain redundancies (granted not up to quorum) against this type of attack already.

@ghostant-1017
Copy link
Contributor

@niklaslong You are right, single malicious validator is sufficient.
You can use that branch in the report, it's reproducible with a non-empty chain state.
Steps:

  1. ./devnet with 4 validators 0 client
  2. stop node0 and wait for other 3 nodes produce blocks
  3. restart node0, the network can not produce blocks anymore.

@ghostant-1017
Copy link
Contributor

image

@vicsn
Copy link
Collaborator

vicsn commented Jun 11, 2024

@feezybabee this is a valid P1, especially for preparing the clear reproduction case. Though I'll note for context its not a very unique P1 because the topic has been discussed internally and there's already a // TODO (howardwu): Change this in the code right above where the fix should be.

@ghostant-1017
Copy link
Contributor

@feezybabee this is a valid P1, especially for preparing the clear reproduction case. Though I'll note for context its not a very unique P1 because the topic has been discussed internally and there's already a // TODO (howardwu): Change this in the code right above where the fix should be.

The // TODO in the code is not the solution to solve this issue.

@damons
Copy link

damons commented Jul 26, 2024

I'm concerned about utilizing the concept of is_synced being set to true at all. In reality, there's no way any validator can ever be confident that it is_synced because at any given millisecond later, that will not be true. And, as long as validator progress is halted and is_synced is used as a semaphore, the potential for validator starvation will always exist--unless the concept of is_synced is hard-removed entirely.

@raychu86
Copy link
Contributor

raychu86 commented Nov 15, 2024

Should be addressed by #3422.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Incorrect or unexpected behavior
Projects
None yet
Development

No branches or pull requests

7 participants