'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Somnia Disclosed Report
Audit report Somnia Audit Contest Memory Exhaustion via Unbounded Storage of Orphaned Data Chain Blocks
Target
https://github.com/hackenproof-public/somnia
Vulnerability Details
Summary
The DataChain component, responsible for processing blocks from individual validator data chains is vulnerable to a memory exhaustion Denial of Service attack. A malicious peer can send a high volume of validly signed but un-committable ("orphaned"), data chain blocks to a victim node. The receiving node logic correctly identify that these blocks cannot be appended to its canonical chain but proceed to store their headers and metadata in unbounded in-memory maps.
There is no limit on the number of orphaned blocks a node will store. An attacker can exploit this by proactively sending a continuous stream of such blocks, forcing the victim node's memory usage to grow indefinitely until it exhausts all available system memory and crashes. This is a critical peer-to-peer network flaw that allows a single malicious actor to force any targeted node offline.
Vulnerability Details
The vulnerability lies in the DataChain::ReceivedBlock function. While the protocol includes throttling for requesting missing blocks, there is no corresponding rate-limit or bounding mechanism for blocks that are proactively pushed by a peer.
- Ingress Point: A peer send a
DataChain::BlockViewmessage to a node. This message is routed to theDataChainStore, which call theDataChain::ReceivedBlockfunction for the corresponding data chain. - Validation and Storage: The
ReceivedBlockfunction first validate the block's internal integrity and signature (block.Validate()). If the block is valid, its header is immediately stored in thereceived_blocksmap. Code Reference (data_chains/data_chain.cc):// ... if (received_blocks.count(input_block.block_hash)) { return; // Already have it. } // ... // Store the block header in memory. BlockHeader block_header = BlockHeader::FromBlock(input_block); received_blocks.emplace(input_block.block_hash, block_header); - Orphan Handling: The function then attempt to link the new block to its parent. If the parent is not found in the
committed_block_chain, the block is considered an orphan. The logic does not discard the orphan but instead, it add it to another in-memory map,uncommitted_blocksand the function terminate. - Unbounded Growth: Neither the
received_blocksmap nor theuncommitted_blocksmap has a size limit. An attacker can repeatedly send different, validly signed orphaned blocks, each of which will pass validation and be permanently stored in these maps, causing memory usage to grow linearly with the number of blocks sent.
Proof of Concept
The vulnerability is proven by the C++ test case ProactiveOrphanedBlockSpamCausesUnboundedMemoryGrowth. The test simulates a malicious peer and a victim node.
-
Step 1: Setup A
DataChainTestfixture is already created, which includes aDataChainobject representing the victim's state for a specific data chain. -
Step 2: Attack Simulation The test enter a loop for a large number of iterations (10,000). In each iteration, it: a. Craft a new, unique
DataChain::BlockViewthat is internally valid and correctly signed. b. Each block is chained to the previously generated one, creating a long, consistent but orphaned blockchain that is detached from the victim's canonical chain. c. It calldata_chain.ReceivedBlock()with this malicious block simulating a P2P message. -
Verified Result: The test PASS. This prove that the victim's
DataChainobject accepted and processed all 10,000 malicious blocks without any rejection or rate-limiting. TheASSERT_EQ(data_chain.GetBlockchainHeight(), 0)check within the test confirm that none of these blocks were ever committed, meaning all 10,000 are being held in the node's in-memory maps. This demonstrate the unbounded memory growth and confirms the vulnerability.
Impact
- Peer-to-peer network flaw (Primary Impact): The P2P layer fail to protect the node from resource exhaustion caused by malicious, but protocol-compliant, messages.
- Denial of Service: An attacker can target specific validator nodes and force them offline by exhausting their memory. By taking
f+1validators offline, an attacker could potentially halt the entire network. This is a severe threat to the liveness of the protocol.
Recommendation
A bounding mechanism should be introduced for in-memory storage of uncommitted/orphaned blocks but my suggestions are :
- Implement a Hard Cap: Introduce a configurable
max_uncommitted_blockslimit. Ifreceived_blocks.size()oruncommitted_blocks.size()exceeds this limit, theDataChainshould stop accepting new orphaned blocks. - Implement an Eviction Policy: When the cap is reached, the node should evict the oldest orphaned block to make room for a new one. This prevents unbounded growth while still allowing the node to process a reasonable number of out-of-order blocks.
- Per-Peer Limits (though Optional) : consider tracking the number of orphaned blocks received from each peer and temporarily banning peers that send an excessive number.
Validation steps
// This test prove that a node can be forced to consume unbounded memory by a peer
// proactively sending a long, validly signed, but un-committable chain of data blocks.
// The node store these "orphaned" block headers in memory indefinitely, leading to a DoS.
TEST_F(DataChainTest, ProactiveOrphanedBlockSpamCausesUnboundedMemoryGrowth) {
// 1. SETUP: We have a `data_chain` object representing the victim node's state
// for the data chain owned by `data_chain_owner_user`.
// 2. ATTACK: A malicious peer generates and sends a long chain of valid blocks that
// are orphaned because they descend from a parent hash the victim will never see.
Hash fake_parent_hash = NonRandomHash(999);
const size_t num_malicious_blocks = 10000; // A large number of blocks to simulate a spam attack.
DataChain::BlockView parent_block;
parent_block.block_hash = fake_parent_hash;
parent_block.total_resources_committed = {}; // Start from zero for the fake chain.
for (size_t i = 1; i <= num_malicious_blocks; ++i) {
// The block number is irrelevant as long as it's > 0, as the parent is what matters.
DataChain::BlockView malicious_block = CreateDataChainBlock(i, parent_block, "spam_payload_" + std::to_string(i));
// Sanity check that the block is validly self-signed.
ASSERT_TRUE(malicious_block.Validate());
// Simulate the peer sending this block. The victim node's `ReceivedBlock` is called.
// There is no rate-limiting on this ingress path.
data_chain.ReceivedBlock(malicious_block);
// Update the parent for the next block in the spam chain.
parent_block = malicious_block;
}
// 3. ASSERTION: Check the state of the victim's DataChain object.
// The canonical blockchain height should NOT have advanced, because none of the
// blocks could be connected to the real genesis (ZeroHash).
ASSERT_EQ(data_chain.GetBlockchainHeight(), 0)
<< "The canonical chain should not have grown.";
// Although the chain height is 0, the node has accepted, validated, and stored
// all `num_malicious_blocks` in its in-memory maps. We can't directly access the
// size of the internal `received_blocks` map from this test fixture.
// However, the code in `data_chain.cc` is clear: every valid block passed to
// `ReceivedBlock` is emplaced into `received_blocks`.
// The lack of a size limit on this map is the vulnerability.
// This test passing demonstrates that the node processed all 10,000 blocks without
// any transport-level rejection, proving the logical flaw.
SUCCEED() << "Logical flaw confirmed: Node accepted and stored " << num_malicious_blocks
<< " orphaned blocks in memory without any bounding mechanism. "
<< "This leads to unbounded memory growth.";
}
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (2) 
