Top 3 Bugs from the Shardeum Core Audit Competition
From July 8 to August 14, 2024, the Shardeum protocol hosted two simultaneous audit competitions on the Immunefi platform, Shardeum Core and Shardeum Ancillaries, welcoming top whitehat talents to find vulnerabilities within their unique EVM-based network infrastructure.
52 of the very best submissions of various severities from participating whitehats were rewarded from a pool of up to $500,000 USDC.
Here are the top three findings from the Shardeum Core audit competition, as identified by the Immunefi team.
Throughout the event, an active development phase was in progress, allowing for real-time fixes of the identified issues. As of this publication, all vulnerabilities have been FIXED.
1. Account balance can be manipulated due to broken signature verification — Report 34456
Finder: neplox, @neploxaudit
Severity: Critical
Impact: Direct loss of funds
Asset: https://github.com/shardeum/shardus-core/tree/dev
It was possible to overwrite the account data of any address in the network on all validator nodes at once, effectively changing the state of the account in the whole network.
There are two internal protocol endpoints called repair_oos_accounts that are legitimately used by Shardeum validator nodes to restore broken accounts after consensus is reached.
However, the “repaired” account information is simply passed as an argument and its signatures are not verified. This fact allows to forge and send a request to “restore” any account to any value, breaking the intended AccountPatcher trie hash consensus mechanism.
262588213843476
Embedded JavaScript
2. Taking over the network with Golden Ticket — Report 33696
Finder: ZhouWu
Severity: Critical
Impact: Network not being able to confirm new transactions (total network shutdown
Asset: https://github.com/shardeum/shardus-core/tree/dev
An attacker could become part of the validator network without fulfilling the necessary conditions. This was made possible by the Golden Ticket system built into the protocol. This mechanism is intended for protocol operators, but insufficient ticket validation allows anyone to use it.
By gaining the majority of seats in the validator network, the attacker will gain control of the consensus and through this will be able to control the data in the network and the availability of the network.
262588213843476
3. Decentralized operations could be performed without necessary consensus — Report 33632
Finder: neplox, @neploxaudit
Severity: Critical
Impact: Network not being able to confirm new transactions (total network shutdown)
Asset: https://github.com/shardeum/shardeum/tree/dev
A malicious validator can mislead other nodes to sign data using unexpected fields in signAppData.
Due to lack of input validation in signAppData malicious validator can make network nodes to sign arbitrary data. The signAppData checks if appData has required fields: nominator, nominee, stake, certExp, but doesn’t check the presence of unexpected extra fields.
By obtaining the necessary signatures, an attacker can perform extensive reconfiguration of the Shardeum network up to full control of the network.
