Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SEC] Unchecked overflow in beaconstate.check_attestation_inclusion #1580

Closed
montyly opened this issue Aug 28, 2020 · 2 comments
Closed

[SEC] Unchecked overflow in beaconstate.check_attestation_inclusion #1580

montyly opened this issue Aug 28, 2020 · 2 comments
Assignees
@tersec
Labels
nbc-audit-2020-1 🛂 status:awaiting-review

Comments

@montyly
Copy link

montyly commented Aug 28, 2020

Severity: Low
Difficulty: High

Description

An unchecked overflow in beaconstate.check_attestation_inclusion can lead the first epoch to accept incorrect attestations.

When receiving an attestation, the eth 2.0 spec checks for:

assert data.slot + MIN_ATTESTATION_INCLUSION_DELAY <= state.slot <= data.slot + SLOTS_PER_EPOCH

beaconstate.check_attestation_inclusion performs the operations without overflow checks:
https://github.com/status-im/nim-beacon-chain/blob/3433c77c35f3025729ac9204ab6b91ea136dce9e/beacon_chain/spec/beaconstate.nim#L539-L547

If current_slot is below 32 and data.slot is the max uint64:

  • data.slot + MIN_ATTESTATION_INCLUSION_DELAY will overflow, and data.slot + MIN_ATTESTATION_INCLUSION_DELAY <= current_slot will return true
  • data.slot + SLOTS_PER_EPOCH will overflow, while current_slot <= data.slot + SLOTS_PER_EPOCH will still return true

As a result, the attestation will be considered as valid by the nbc nodes, while it will be considered as invalid by the other eth 2.0 clients.

This attack can only happen on the first epoch.

Exploit Scenario

On the first epoch, Eve spams the network with invalid attestation. The attestation are accepted by the nbc nodes and rejected by the other nodes. As a result, the nbc nodes spend resources on invalid attestations.

Recommendation

Short term, check for overflow in beaconstate.check_attestation_inclusion.

Long term, identify all the integers that can be controlled by an attacker, and carefully checks the related operations for overflow and underflow
tersec added a commit that referenced this issue Sep 1, 2020
@tersec
address issue #1580
341df92
tersec added a commit that referenced this issue Sep 2, 2020
@tersec @arnetheduck
address issue #1580 (#1600)
e4a43f7 
* address issue #1580

* Update beacon_chain/spec/beaconstate.nim

Co-authored-by: Jacek Sieka <jacek@status.im>
@tersec
Copy link
Contributor

tersec commented Sep 2, 2020

#1600 addresses this.

mratsim pushed a commit that referenced this issue Sep 16, 2020
@tersec @arnetheduck @mratsim
address issue #1580 (#1600)
368bd7c 
* address issue #1580

* Update beacon_chain/spec/beaconstate.nim

Co-authored-by: Jacek Sieka <jacek@status.im>
@montyly
Copy link
Author

montyly commented Dec 18, 2020

Fixed in #1600

@montyly montyly closed this as completed Dec 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tersec tersec

Labels
nbc-audit-2020-1 🛂 status:awaiting-review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tersec @montyly @mratsim