'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Somnia Disclosed Report
Audit report Somnia Audit Contest Somnia - Peer Impersonation Attack via Challenge Replay
Target
https://github.com/hackenproof-public/somnia
Vulnerability Details
Somnia - Peer Impersonation Attack via Challenge Replay
Description
A vulnerability exists in the peer-to-peer handshake implementation that allows an attacker to impersonate legitimate nodes during connection establishment. This attack exploits the bidirectional nature of the handshake protocol to replay challenges between different connection sessions, enabling successful spoofing of node identities at the transport layer.
Technical Analysis
Normal Handshake Flow
The peer-to-peer handshake protocol looks something like this (simplified):
- Node A initiates a connection to Node B
- Both nodes generate and exchange random challenges
- Each node signs the received challenge with their private key
- Both nodes verify the received signatures to authenticate their peer
- Upon successful verification, the connection is established with confirmed peer identity
Vulnerability Root Cause
The security of this handshake relies on the assumption that challenges are unpredictable and cannot be known in advance. However, the protocol's bidirectional nature creates a vulnerability window where:
- Challenges are generated and sent before signature verification is complete
- An attacker can obtain a legitimate challenge from one node and replay it to another
- The protocol lacks binding between the challenge and the specific connection context
Attack Methodology
The exploitation leverages the timing gap between challenge exchange and signature verification to perform a challenge replay attack:
Step-by-Step Attack Flow
-
Initial Connection Setup
- Attacker establishes connection with Node A
- Attacker sends arbitrary challenge (
challenge0) to Node A
-
Challenge Harvesting
- Node A responds with its own challenge (
challenge1) - Node A also provides signature for
challenge0(not needed for attack) - Critical vulnerability: Attacker now possesses a legitimate challenge from Node A
- Node A responds with its own challenge (
-
Challenge Replay
- Attacker initiates separate connection with Node B
- Attacker sends the harvested
challenge1(from Node A) to Node B - Node B, believing this is a legitimate challenge, signs it with its private key
-
Identity Spoofing
- Node B returns the signature for
challenge1to the attacker - Attacker relays this signature back to Node A
- Node A verifies the signature successfully (it's a valid signature for its own challenge)
- Result: Node A believes it has completed handshake with Node B, when it actually connected to the attacker
- Node B returns the signature for
Attack Outcome
The attacker successfully impersonates Node B in Node A's view, establishing an authenticated connection under false identity. This breaks the fundamental assumption that authenticated connections represent genuine peer identities.
Impact
Severity: High
This peer impersonation attack allows an attacker to successfully establish authenticated connections while spoofing their identity at the transport layer.
Direct Impact - Transport Layer Spoofing:
-
Peer Discovery Manipulation: The attacker can send malicious
ShareConnectedPeerMessageandRequestPeerDetailsMessagewhile impersonating legitimate nodes, potentially:- Misleading nodes about network topology
- Redirecting peer discovery to attacker-controlled endpoints
- Causing network partitioning or isolation attacks
-
Mempool Transaction Attribution Bypass: The attacker can send transactions to the mempool while appearing to originate from a different peer, potentially:
- Bypassing per-peer rate limiting mechanisms
- Evading reputation-based filtering
- Conducting transaction spam attacks while framing innocent nodes
-
Network Monitoring Evasion: The attacker can evade network-level monitoring and metrics collection that relies on transport-layer sender identification.
Escalation Scenarios:
- Eclipse Attacks: By manipulating peer discovery, an attacker could isolate honest nodes from the network
- Resource Exhaustion: Bypassing rate limiting could enable more effective DoS attacks
So to summarize, an attacker could use this vulnerability to disrupt network connectivity and potentially isolate nodes, while simultaneously conducting enhanced DoS attacks by evading per-peer rate limits.
Remediation
Primary Recommendation: Connection Context Binding
Include connection-specific context in the challenge signature to prevent replay attacks:
For example, include the IP address of the peer as part of the signature data.
Validation steps
Proof of Concept
Overview
The following proof of concept demonstrates the vulnerability by implementing a controlled attack scenario where one node acts as an attacker and successfully impersonates another peer during handshake.
Implementation
Apply the diff included with this report:
Test Case Implementation
Add the following test to demonstrate the attack to the protocol_network_test.cc file:
TEST_F(ProtocolNetworkTest, ProtocolNetworkConnectionSpoofAttack) {
std::vector<std::unique_ptr<NodeActorManager>> nodes;
std::vector<crypto::PrivateKeys> keys;
std::vector<ChainParameters> params;
// Create 3 nodes: Attacker, Node A, Node B
for (int i = 0; i < 3; i++) {
keys.emplace_back(crypto::PrivateKeys::GenerateNonRandomKeys(1337 + i));
params.push_back(protocol_network_chain_parameters);
params[i].local_parameters.protocol_listen_port = 9051 + (i * 10);
params[i].local_parameters.data_listen_port = 9101 + (i * 10);
params[i].local_parameters.api_http_port = 9201 + (i * 10);
params[i].local_parameters.api_websocket_port = 9301 + (i * 10);
params[i].local_parameters.storage_database_directory =
fmt::format("/tmp/somnia_{}_{}", keys[i].GetAddress(), RandomHash());
nodes.emplace_back(std::make_unique<NodeActorManager>(params[i], keys[i], epoch_manager));
}
auto& main_network = nodes[0]->protocol_network.GetAsyncProtocolNetwork();
// Trigger the attack by connecting the attacker to both legitimate nodes
for (int i = 1; i < 3; i++) {
main_network.ConnectToPeer(keys[i].GetAddress(), "127.0.0." + std::to_string(i),
params[i].local_parameters.protocol_listen_port);
std::this_thread::sleep_for(std::chrono::milliseconds(100));
}
// Allow sufficient time for attack execution
std::this_thread::sleep_for(std::chrono::seconds(15));
}
Execution Instructions
bazel test --config no-avx -s //somnia/node:protocol_network_test --test_output=all --test_filter="ProtocolNetworkTest.*"
Note: The sleep timeout may need adjustment based on system performance and network conditions.
Expected Results
Upon successful execution, the test demonstrates the vulnerability through the following log evidence:
[2025-09-10 01:22:31.579] [protocol_net ] [info] PeerNetwork successfully completed handshake with 0x95f9f0834ceeeb6beaf51955a21d61b0ed21114f and my key is 0x371b429f37d6183509d07f94fe8a1aed928353f3
[2025-09-10 01:22:31.628] [protocol_net ] [info] PeerNetwork successfully completed handshake with 0x054a8494bea2c5251e70c3e8120138b21ab91193 and my key is 0x95f9f0834ceeeb6beaf51955a21d61b0ed21114f
[2025-09-10 01:22:31.639] [protocol_net ] [info] PeerNetwork successfully completed handshake with 0x371b429f37d6183509d07f94fe8a1aed928353f3 and my key is 0x054a8494bea2c5251e70c3e8120138b21ab91193
[2025-09-10 01:22:31.639] [protocol_net ] [info] PeerNetwork successfully completed handshake with 0x95f9f0834ceeeb6beaf51955a21d61b0ed21114f and my key is 0x054a8494bea2c5251e70c3e8120138b21ab91193
Attack Scenario Analysis
Node Identities:
- Attacker:
0x054a8494bea2c5251e70c3e8120138b21ab91193 - Node A:
0x371b429f37d6183509d07f94fe8a1aed928353f3 - Node B:
0x95f9f0834ceeeb6beaf51955a21d61b0ed21114f
Resulting Connection State: The attack creates a false connection topology where Node A believes it has established a legitimate connection with Node B, but is actually connected to the attacker:
| Connection | Connected Node Perspective | Reality |
|---|---|---|
Node A ↔ Attacker |
Connected to Node B | Connected to Attacker |
Node B ↔ Attacker |
Connected to Attacker | Connected to Attacker |
Attacker ↔ Node A |
Connected to Node A | Connected to Node A |
Attacker ↔ Node B |
Connected to Node B | Connected to Node B |
This demonstrates successful identity spoofing where the attacker has inserted itself into the intended Node A ↔ Node B communication path while maintaining Node A's belief that it is connected to the legitimate Node B.
Important Note: In the PoC we connected to Node B just because it was simpler, but in reality, the attacker can drop the handshake with Node B and just connect to Node A without compromising it's own identity. Also, the attacker can do the same attack with Node B and connect to Node B as Node A, fooling them both.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (2) 
