Developer reveals details of Avalanche’s network patched vulnerability

The problem discovered in March of this year could have disabled the blockchain completely

09.09.2022 - 12:45

395

2 min

What’s new? Developer Péter Szilágyi has published a report on a vulnerability on the Avalanchenetwork. The problem was discovered on March 29, 2022, and threatened to completely disable the blockchain for 2000 AVAX (~$40 200 at the current rate). Szilágyi discovered the bug and offered a patch to fix it. The problem was fixed the same day with this patch. With Avalanche’s latest hard fork, all nodes run the patched software. The specialist shared details with the permission of Ava Labs engineer Patrick O’Grady.

Link to GitHub

More details about the bug. Such a bug was called “remote node crash via malicious PeerList package.” The hacker had two options to attack. The first was to run a non-validator node to transmit malicious packets. Szilágyi noted that such a trivial option would have taken longer to shut down the network.

According to the second option, the attacker could register as a new validator and send out infected packets for the price of 2000 AVAX that are used for network interaction. Szilágyi called the price acceptable because such a choice would have brought the hacker “a sweet profit.” The expert also noted that in this scenario, the network would have recovered in a few hours.

On September 7, Nereus Finance, a decentralized platform, was hacked, causing hackers to withdraw $370 000 in USD Coin (USDC) stablecoins. The attack involved flash loans and manipulation of the price of AVAX tokens.

In June, crypto wallets MetaMask and Phantom fixed a critical vulnerability in a browser software extension. The bug, discovered by Halborn back in September 2021, allowed hackers to extract seed phrases from users’ computers.

Author: