Ethereum developer Péter Szilágyi has released a vulnerability report detailing how a bug he discovered in Avalanche crashed the entire network.
On March 29, 2022, Péter Szilágyi identified a bug in Avalanche’s PeerList package that could easily be exploited by malicious actors. He contacted his Avalanche developer team and they quickly patched the vulnerability.
my publication #avalanche The March 29, 2022 vulnerability report could have been used to bring down entire networks for free.
This issue has been previously fixed and the latest Avalanche hard fork now runs the patched software on all nodes.
— Peter Szilagyi (karalabe.eth) (@peter_szilagyi) September 8, 2022
PeerList vulnerability
The Avalanche network is PeerList package This can only be sent by node validators. Szilágyi said all the vulnerability an attacker would need is to stake 2000 of his AVAX tokens required as a validator node and send a malicious PeerList package to nodes on the network. I explained that there is.
Szilágyi explains:
Almost instant death for the entire network as every node in the network connects to every validator.
he added:
The price is of course 2000AVAX, but I think that’s acceptable because a good short will give you a big profit and the network will rebound after a few hours, so you won’t lose your long-term value with a malicious validator.
As of March 2022, the Avalanche network is estimated to have a market capitalization of over $24 billion. If a vulnerability were hijacked by a malicious attacker, the ecosystem crash would have been fatal.
Fighting Avalanche Bugs
When the DeFi protocol Pangolin launched on Avalanche in February 2021, the network was hit with “cross-chain finality.” bug It was forced to go into “self-healing mode”.
Avalanche’s network was under heavy load, causing some validators to accept invalid mint transactions. As a result, the network had to stall all transactions for hours. The developer quickly patched the issue and completed all pending transactions.
