Vulnerability Discovered in Filecoin Network Clients
/ 3 min read
Quick take - In January, a vulnerability was discovered in the Lotus and Venus clients of the Filecoin network that allowed attackers to remotely crash nodes, prompting a switch to unsigned integers for improved security in subsequent software updates.
Fast Facts
- A vulnerability in the Lotus and Venus clients of the Filecoin network was discovered in January, allowing remote node crashes and denial of service due to incorrect index validation.
- The issue stemmed from the use of signed integers, which led to an index out-of-range panic during message processing from peers.
- Both Lotus and Venus have since switched to unsigned integers to enhance security, with fixes implemented in versions 1.25.2 and 1.14.3, respectively.
- The flaw primarily affected the CompactedMessages data structure, which optimizes space by containing all messages of a tipset.
- Recommendations for future prevention include using unsigned integers, careful casting between integer types, and implementing checks to ensure proper variable representation.
Vulnerability Identified in Filecoin Network
In January, a significant vulnerability was identified in the Lotus and Venus clients of the Filecoin network. The Filecoin network is designed for the storage and retrieval of files based on the InterPlanetary File System (IPFS) protocol. This vulnerability allowed an attacker to remotely crash a node, resulting in a denial of service. The issue was due to an incorrect validation of an index that led to an index out-of-range panic. The root of the problem was a common insecure practice observed in blockchain node audits, specifically the use of signed integers.
Response to the Vulnerability
In response to this vulnerability, both Lotus and Venus have switched to using unsigned integers for improved security. The vulnerability primarily affects Lotus, which has a data structure named CompactedMessages. CompactedMessages is designed to optimize space by containing all messages of a tipset, defined as a set of blocks with the same height and parent tipset. The CompactedMessages structure includes fields for messages and their corresponding block indices.
The vulnerability arises during the processing of responses from peers that contain tipset messages. The message index value is incorrectly validated during this process, occurring when an unsigned integer message index is cast to a signed integer. This allows a situation where the message index can exceed the signed integer maximum and become negative, bypassing the validation. This flaw can lead to out-of-range access during the syncing phase, where nodes attempt to obtain tipsets. The function checkMsgMeta is involved in this process, allowing user control over both the message and block indices, highlighting the potential for exploitation during the protocol exchange between peers.
Fixes and Recommendations
To address the issue, the fix involved casting the length of the slice to an unsigned integer, with comparisons now performed using unsigned integers. An alternative fix could have checked that the signed message index was non-negative; however, the chosen method was deemed more straightforward. Lotus implemented the fix in version 1.25.2, while Venus addressed the issue in version 1.14.3.
To prevent similar vulnerabilities in the future, it is recommended that developers use unsigned integers and exercise caution when casting between integer types. Additional measures, such as implementing checks or invariants, can help ensure that variable domains are properly represented in target types. A Semgrep rule has also been suggested to avoid similar mistakes going forward.
The process of building blockchain nodes involves navigating various risks, including those related to consensus, networking, and application security. Organizations like Trail of Bits possess expertise in reviewing blockchain nodes across different layers and components, offering valuable support for clients developing software in programming languages such as Go and Rust.
Original Source: Read the Full Article Here
