HomeBitcoin InfrastructureNEAR Protocol Fixes Bug That Could Have Crashed the Entire Network

NEAR Protocol Fixes Bug That Could Have Crashed the Entire Network

-

NEAR Protocol operations could have completely halted if attackers found the glaring issue.

Proof-of-Stake blockchain NEAR protocol operated with a vulnerability that could have been exploited to crash all of its nodes. However, no such exploit occurred since no one found it until the security audit and research platform Zellic secretly brought it to the protocol’s action. NEAR patched the issue and offered Zellic a $150,000 bug bounty reward for identifying the issue and bringing it to NEAR’s notice.

“It would effectively be a Web3 ping of death,” the report read, referring to how the network could have been brought to a halt in an instant if attackers took advantage of it. Zellic’s researchers stumbled across the critical issue while looking at the layer that allows nodes to communicate with each other.

How This Would Have Occurred

Essentially, a node wanting to communicate called the remote peer, sends a “handshake message” to another. The other responds with an acknowledgment. The remote peer must prove its identity in this process, which occurs via it signing a message to show that its public key, in fact, belongs to it. This prevents malicious nodes, that are known to be so, from connecting with the network.

“It is an essential part of the verification because the signature check combined with the peer ID check proves that the remote peer that sent this handshake message owns the corresponding public key,” the report explained.

However, that is where the issue lies. NEAR allowed remote peers to prove the ownership of their public keys with two types of signatures. While the first looked fine, the second held bleak revelations. Creating signatures using it could cause a “panic” response that could crash NEAR’s nodes. It contained two kinds of vulnerabilities, with each capable of triggering the panic response. Even if the first was fixed, the second could kick off the “ping of death.”

While the researchers were surprised that the issue was not identified during tests or by malicious actors, the protocol did not allow its nodes to verify their public keys using the second signature type. Still, those wanting to shut down the network’s operations could have altered software to activate the channel with the vulnerabilities and put the blockchain in trouble.

Zellic tested a model of the network on the NEAR testnet with two nodes. One mined blocks while the other exploited the bug. The malicious one attacked the honest node on every try. Luckily, the flaw was found by an audit firm instead of those waiting to hijack the protocol.

FOLLOW US

Upcoming Events

Most Popular