feezybabee

[Bug] A malicious validator can broadcast invalid BatchCertificate or Propose that cause other validators stack overflow

5

# https://hackerone.com/reports/2279584 ## Summary: The `Primary` recursively fetch certificates from other peer upon receiving new `Propose` and `BatchCertificate `. Although it will check the certificate before storing into db, the...

# https://hackerone.com/reports/2288038 ## Summary: In the current implementation of the `Event::WorkerPing` handling, there is no throttling mechanism in place to limit the frequency of worker pings from a specific validator....

[Bug] Repeatedly sending GET or POST requests to any endpoint against the API port causes a crash wherein the node becomes unresponsive, stops printing to terminal, and the API times out

4

# https://hackerone.com/reports/2270050 Your P2P is hardened against most network style DoS/crash attacks. I prefer P2P DoS so much more; but API DoS is super important (wallets, explorers, etc.) and if...

# https://hackerone.com/reports/2226529 ## Summary An out-of-synced validator may not catch up the consensus in the extream case ## Steps To Reproduce: No steps to reproduce ## Proof-of-Concept (PoC) 1. Assume...

[Bug] Integer overflow in EvaluationDomain::reindex_by_subdomain() function

2

## Summary: The attacker can trigger integer overflow function [EvaluationDomain::reindex_by_subdomain()](https://github.com/AleoHQ/snarkVM/blob/c620cc4a89bcd81e9de07e827886a2a57e4375e6/algorithms/src/fft/domain.rs#L321) when using the big input index. Consider the following branch: ```rust let i = index - other.size(); let x =...

[Bug] Usize underflow and usize overflow vulnerabilities via controllable arguments in ‎nonnative_params::find_parameters() function

1

# https://hackerone.com/reports/2258963 ## Summary: The [nonnative_params::find_parameters()](https://github.com/AleoHQ/snarkVM/blob/c620cc4a89bcd81e9de07e827886a2a57e4375e6/algorithms/src/traits/algebraic_sponge.rs#L166) function accepts two parameters that are involved in further arithmetic operations: `base_field_prime_length` and `target_field_prime_bit_length`. Both parameters can be considered controllable as they are thrown...

[Bug] Controllable allocation size allows for memory leaks or panics (depending on size)

1

# https://hackerone.com/reports/2255800 ## Summary: The snarkVM source code contains the `Vec::with_capacity(capacity)` pattern in many places, where `capacity` is a controllable non-sanitised value. The following places in code are good examples:...

[Bug] Division by zero in EvaluationDomain::reindex_by_subdomain() function

1

# https://hackerone.com/reports/2257472 ## Summary: The attacker can trigger division by 0 in the function [EvaluationDomain::reindex_by_subdomain()](https://github.com/AleoHQ/snarkVM/blob/c620cc4a89bcd81e9de07e827886a2a57e4375e6/algorithms/src/fft/domain.rs#L321) when using the same `num_coeffs` for `self` and `other`. As can be seen from the...

[Bug] Attacker can exploit validator node memory leak to halt the network

3

# https://hackerone.com/reports/2478590 ## Summary Validator node memory leak, attacker could exploit this to halt the network. ## Steps To Reproduce 1. `git clone [email protected]:ghostant-1017/mysnarkOS.git && git checkout attack/memory-leak` 1. Start...

[Bug] Due to changes from PR #3217, BFT sync logic is not safe, 2 malicious validators can send invalid block_locators and blocks to other nodes and halt the network

3

# https://hackerone.com/reports/2469178 ## Summary: BFT sync logic is not safe after PR #3217 ; 2 malicious validators can send invalid block_locators and blocks to other nodes, and the other nodes...