'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Somnia Disclosed Report
Audit report Somnia Audit Contest LeaderViewChangeMessage is not properly checked, and malicious request payloads can be inserted, leading to total network shutdown with fork
Target
https://github.com/hackenproof-public/somnia
Vulnerability Details
Description
When the current leader of a view in PBFT does not respond within a given timeout window, the nodes advance to the next view to get a new leader and continue the consensus process. In this case, all nodes send a LeaderViewChangeMessage to the new leader so that he can use the nodes votes to move to the next view:
https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_view_manager.cc#L590-L595
The new consensus leader then builds a NewViewMessage, including all the LeaderViewChangeMessages, so that the nodes can verify that the view change has been agreed upon by a 2f+1 majority of nodes. This message is then broadcast to all nodes, allowing them to update their view:
https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_view_manager.cc#L748-L755
All nodes then attempt to switch to the view in TryEnterNewView:
https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_view_manager.cc#L765
In this function, GetLockedRequestBatchesForNewView is used to obtain the request batches that should be carried over into the next round. This is determined based on the request batches provided in the LeaderViewChangeMessages that are included in the NewViewMessage. To decide which request batches must be taken in the next view a LeaderViewChangeMessage has three fields:
latest_observed_checkpoint(https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_types.h#L472): This is the latest checkpoint of the node that sent the message. It is needed to determine the first sequence number that has not been checkpointed and will probably need to be included in the next view.certificate_rounds_above_checkpointed(https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_types.h#L477): These are the sequence numbers that already have a certificate and probably need to be committed or re-proposed in the next view.preprepared_rounds_above_checkpointed(https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_types.h#L489): These are sequence numbers with views that are currently in the pre-prepare round and are only re-proposed when they have f+1 votes.
In GetLockedRequestBatchesForNewView, the latest_observed_checkpoint field is first used to determine the maximum checkpointed sequence number. At this point, the certificate is validated if necessary:
https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_view_manager.cc#L983-L986
Then certificate_rounds_above_checkpointed is used to determine the highest view that has a certificate for a given sequence number. At this stage, both the certificate and the underlying request batch are verified:
https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_view_manager.cc#L1085-L1087
As a last step, preprepared_rounds_above_checkpointed is used to determine the views in the sequence numbers that have more than f+1 votes and should be re-proposed. In this step, the data is not validated, and a malicious validator could include a request batch with arbitrary payloads because the hashes are not checked. Normally, a validator would need f+1 votes for a request batch to be re-proposed, but since the hashes are not verified, the validator could set the request batch hash to a batch that already has more than f+1 votes but with malicious request payloads:
https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_view_manager.cc#L1111-L1150
One thing an attacker must pay attention to is that their votes must be the ones crossing the f+1 threshold; otherwise, another request batch without a malicious payload will already have been included in proposal_majority_rounds_for_new_view and the attacker’s request batch will not be set:
https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_view_manager.cc#L1125-L1135
This can be done most efficiently by an attacker who waits to become the consensus leader, because then they can simply order the LeaderViewChangeMessages in NewViewMessage and set their request batch so that it is included in proposal_majority_rounds_for_new_view in GetLockedRequestBatchesForNewView.
After this, the request batch is set for the new round. An attacker could exploit this when they are the consensus leader by sending one half of the nodes a request batch and the other half a request batch with different payloads but the same hash. Since the hashes are not verified until execution, one half of the network will execute different transactions than the other half. This results in divergent blocks and causes the chain to fork. After about 16 blocks, the chain will halt because the sequence commitments included in the blocks no longer match, and no transactions can be executed anymore: https://github.com/hackenproof-public/somnia/blob/5931d305dd6fb02b637efd2fca13e77731d05804/somnia/pbft/pbft_round_manager.cc#L219-L236
Recommendation
The hashes of the request batch should be verified in GetLockedRequestBatchesForNewView when adding a round to proposal_majority_rounds_for_new_view
Validation steps
The following modifications must be applied to the code to run the POC. The reasons for some of the modifications are explained in the comments accompanying the changes: https://gist.github.com/TheSchnilch/a618c01e1b7913e3697495a57396aa13
The POC can be executed with NETWORK_PRESET=mainnet-small ./ci/run-local-deployment.sh
How the POC works
- In epoch 3, the first consensus leader proposes 5 request batches and then simulates a timeout.
- Sequence number 5 has only one prepare vote because the other nodes have not sent theirs, so it is included in
preprepared_rounds_above_checkpointedin theLeaderViewChangeMessage. - The new leader is malicious and adds an additional vote for sequence number 5 in
preprepared_rounds_above_checkpointed. - The malicious leader creates two different
NewViewMessages: one containing the correct request payloads for sequence number 5, and another with no payloads. - Half of the network receives the first
NewViewMessage, while the other half receives the second message. - Due to the different state changes in the two payloads, the resulting blocks differ, causing the chain to fork and finally halting the production of new blocks.
After this the output of the nodes should look like the one in screenshot.
To verify that the chain actually forked this curl request can be used on node http://127.0.0.1:6500 and http://127.0.0.1:6501 to see that the block hashes are different at block 400 (block 400 because we are in epoch 3 and 3*128 + 5 = 389. This means block 400 is one of the forked):
curl -X POST -H "Content-Type: application/json" \
--data '{"jsonrpc":"2.0","method":"eth_getBlockByNumber","params":["0x190", false],"id":1}' \
http://127.0.0.1:6500
Attachments
hidden 
Comments on this report are hidden 
Details 
Participants (3) 
