Ethereum developer Pter Szilgyi has released a vulnerability report detailing how a bug he discovered in Avalanche crashed the entire network.
On March 29, 2022, Pter Szilgyi identified a bug in Avalanche’s PeerList package that could easily be exploited by malicious actors. He contacted his Avalanche developer team and they quickly patched the vulnerability.
my publication #avalanche The March 29, 2022 vulnerability report could have been used to bring down entire networks for free.
This issue has been previously fixed and the latest Avalanche hard fork now runs the patched software on all nodes.
Peter Szilagy (karalabe.eth) (@peter_szilagyi) September 8, 2022
PeerList vulnerability
The Avalanche network is PeerList package This can only be sent by node validators. Szilgyi said all the vulnerability an attacker would need is to stake 2000 of his AVAX tokens required as a validator node and send a malicious PeerList package to nodes on the network. I explained that there is.
Szilgyi explains:
“Every node in the network connects to every validator, so it’s almost instant death for the whole network.”
he added:
Of course, the price is 2000AVAX, but I think it is acceptable, because a good short will give a big profit, and the network will rebound anyway after a few hours. Because there is no loss of value.
As of March 2022, the Avalanche network is estimated to have a market capitalization of over $24 billion. Crashing the ecosystem would be fatal if a malicious attacker hijacked the vulnerability.
Fighting Avalanche Bugs
When the DeFi protocol Pangolin launched on Avalanche in February 2021, the network was hit with cross-chain finality. bug It was forced to go into “self-healing mode”.
Avalanche’s network was under heavy load, causing some validators to accept invalid mint transactions. As a result, the network had to stall all transactions for hours. The developer quickly patched the issue and completed all pending transactions.