Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The malicious observer/node can use the voting function to conduct a DoS attack on ZetaChain #223

Closed
c4-bot-8 opened this issue Dec 7, 2023 · 9 comments
Closed

The malicious observer/node can use the voting function to conduct a DoS attack on ZetaChain #223

c4-bot-8 opened this issue Dec 7, 2023 · 9 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-536 insufficient quality report This report is not of sufficient quality partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)

Comments

@c4-bot-8
Copy link
Contributor

c4-bot-8 commented Dec 7, 2023

Lines of code

https://github.com/code-423n4/2023-11-zetachain/blob/b237708ed5e86f12c4bddabddfd42f001e81941a/repos/node/x/crosschain/keeper/keeper_cross_chain_tx_vote_inbound_tx.go#L95

Vulnerability details

Impact

A malicious observer/node can perform a DoS attack on ZetaChain

Proof of Concept

When there is a new message to vote on (for example :VoteOnObservedInboundTx), FindBallot looks for the Ballot and creates a new Ballot if it does not exist.

Since the validity of the message cannot be verified, if the observer sends an invalid message, a Ballot is also created, but the Ballot fails to pass the vote, and CCTX is not created.

Malicious observers can add a large number of invalid ballots to the blockchain network by sending a large number of invalid messages, consuming the server's storage resources.

The VoteOnObservedInboundTx process is as follows:
The same problem exists in other places where voting is required

func (k msgServer) VoteOnObservedInboundTx(....) {
    ....
    ballot, isNew, err := k.zetaObserverKeeper.FindBallot(ctx, index, observationChain, observationType)
	....
	ballot, err = k.zetaObserverKeeper.AddVoteToBallot(ctx, ballot, msg.Creator, observerTypes.VoteType_SuccessObservation)
	....
}

func (k Keeper) FindBallot(....) {
    isNew = false
	ballot, found := k.GetBallot(ctx, index)
	if !found {
		....
		ballot = types.Ballot{
            ....
		}
		isNew = true
@>	    k.AddBallotToList(ctx, ballot)
	}
	return
}

func (k Keeper) AddBallotToList(ctx sdk.Context, ballot types.Ballot) {
	list, found := k.GetBallotList(ctx, ballot.BallotCreationHeight)
	if !found {
		list = types.BallotListForHeight{Height: ballot.BallotCreationHeight, BallotsIndexList: []string{}}
	}
@>	list.BallotsIndexList = append(list.BallotsIndexList, ballot.BallotIdentifier)
	k.SetBallotList(ctx, &list)
}


func (k Keeper) AddVoteToBallot(ctx sdk.Context, ballot types.Ballot, address string, observationType types.VoteType) (types.Ballot, error) {
	ballot, err := ballot.AddVote(address, observationType)
	if err != nil {
		return ballot, err
	}
	ctx.Logger().Info(fmt.Sprintf("Vote Added | Voter :%s, ballot idetifier %s", address, ballot.BallotIdentifier))
	k.SetBallot(ctx, &ballot)
	return ballot, err
}

Tools Used

vscode manual

Recommended Mitigation Steps

Limit the number of votes a observer/node can create.

Assessed type

DoS
@c4-bot-8 c4-bot-8 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Dec 7, 2023
c4-bot-8 added a commit that referenced this issue Dec 7, 2023
@c4-bot-8
zhaojie issue #223
c8457b3
@c4-pre-sort
Copy link

DadeKuma marked the issue as primary issue

@c4-pre-sort c4-pre-sort added the primary issue Highest quality submission among a set of duplicates label Dec 21, 2023
This was referenced Dec 21, 2023
Closed
Open
@c4-pre-sort
Copy link

DadeKuma marked the issue as insufficient quality report

@c4-pre-sort c4-pre-sort added the insufficient quality report This report is not of sufficient quality label Dec 21, 2023
@0xean
Copy link

0xean commented Jan 7, 2024

@DadeKuma - I assume there is some mechanism (slashing perhaps) to prevent this, but am having trouble finding it in the docs, can you refer me?

@0xean
Copy link

0xean commented Jan 7, 2024

sorry, nevermind, found it. closing

@c4-judge c4-judge closed this as completed Jan 7, 2024
@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Jan 7, 2024
@c4-judge
Copy link

c4-judge commented Jan 7, 2024

0xean marked the issue as unsatisfactory:
Insufficient quality

@ciphermarco
Copy link

Hi, @0xean. I'm not sure what this issue defines as "invalid message", but, since my issue #536 is considered duplicate with this, I'm commenting here. And, I also don't know if the documented slashing mechanism was used to invalidate the issue, but, in my issue, I show how the slashing mechanism cannot punish this misbehaviour.

The problem I present in #536 is that a malicious or faulty observer can freely create useless ballots and not be slashed by this action. As detailed in my submission, the issue is created by the limited voting options for the ballot type that only allows observers to vote for a successful observation. Thus, the malicious chain of events expected is:

  1. A faulty or malicious Observer creates a ballot with a false observation.
  2. Other Observers cannot vote against this observation due to limited voting options.
  3. The ballot remains with the status BallotStatus_BallotInProgress.
  4. As shown in my issue, the slashing mechanism does not account for ballots with the status BallotStatus_BallotInProgress, thus never punishing the spam ballot creator.

I also see no evidence as to why this would be pre-sorted as QA (same for my other issue with a similar impact, but with different root cause #539). This is critical node software and any resource exhaustion vectors are equally critical and expected to be attacked. Though, in the C4 context and rules, I think the Medium severity may be adequate.

Thank you for your consideration and time spent with this.

@ciphermarco ciphermarco mentioned this issue Jan 12, 2024
Closed
@c4-judge
Copy link

0xean marked the issue as satisfactory

@c4-judge c4-judge reopened this Jan 15, 2024
@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards and removed unsatisfactory does not satisfy C4 submission criteria; not eligible for awards labels Jan 15, 2024
@c4-judge
Copy link

0xean marked the issue as duplicate of #536

@c4-judge c4-judge added duplicate-536 and removed primary issue Highest quality submission among a set of duplicates labels Jan 15, 2024
@c4-judge
Copy link

0xean marked the issue as partial-25

@c4-judge c4-judge added partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%) and removed satisfactory satisfies C4 submission criteria; eligible for awards labels Jan 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-536 insufficient quality report This report is not of sufficient quality partial-25 Incomplete articulation of vulnerability; eligible for partial credit only (25%)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@0xean @c4-judge @c4-pre-sort @ciphermarco @c4-bot-8