SolidityScan
HACK ANALYSIS 3 min read

The Avalanche Blockchain Bug to Halt the Chain

The Avalanche Blockchain Bug to Halt the Chain

Before starting CredShields, I was exploring popular blockchains and understanding their features and functionalities. During that time, I found a bug in Avalanchego that could alow anyone to crash their live testnet (They were not on mainnet at that time).

The exploring:
The best way to understand and test a blockchain is to have a local setup or a setup of the chain on a personal server so that you don’t mess up a live environment. Let the chain sync to the latest block, and we are good to go. 
As chain sync takes time, it is best to utilize the time to read the documentation.

The Bug:
I went through the documentation and then called all the APIs one by one to understand the features properly. One of the APIs caught my attention. Upon calling the CURL request on my server where I had the chain setup, I noticed the API to dump memory profile writes a file on the server.

curl -X POST --data '{
    "jsonrpc":"2.0",
    "id"     :1,
    "method" :"admin.memoryProfile",
    "params" :{
        "fileName":"mem.profile"
    }
}' -H 'content-type:application/json;' 127.0.0.1:9650/ext/admin

Now we can notice fileName was a user-supplied input. So I tried file.txt and it still worked. I was pretty sure there was no input validation, but to double-check, I went through the code and noticed the function “MemoryProfile” takes a file as an input name and then creates a file on the server without validation.

func (p *Performance) MemoryProfile(filename string) error {
  file, err := os.Create(filename)
  if err != nil {
   return err
  }

Since there is no input validation. I can write files on the server at any directory as well using ../../

"fileName":"../../SomefileName"

So here are the things we have.
1. Write memoryProile dump of any name.
2. Write the file in any directory.
3. I can also over write a file if I supply the same name.

Now the question was whats the worst I can do? I knew during the server setup that the sever has config files and keychain files at $home/.avalancego/config I tried to overwrite the keychain file, and the chain stopped syncing.

I reported the bug to the Avalanche team via a public Github Issue request https://github.com/ava-labs/avalanchego/issues/204
The team confirmed this would work on the live testnet as well.

The Fix:
The team informed us that the API was not supposed to be public. Also, the file input name was removed, and it was made a static filename rather than a user-supplied file name.
https://github.com/ava-labs/avalanchego/pull/256/files

At CredShields, we do manual Blockchain and SmartContract Audits. We are also building a cloud-based smart contract security scanner called SolidityScan
We are on a mission to make web3 a safer place!

Understanding Solidity Pragma and its Security Practices
Security Implications of selfdestruct() in Solidity — Part 1