Witnet network: Acknowledged DOS Bug

For the unaware, witnet is decentralised permissionless oracle planning to release mainnet in the middle of october this year. So, currently they are doing regress testing and running an incentivized testnet. They have also launched a bug bounty program.

And I have being running a witnet node from the start of this testnet. While at it, I started looking into the code and checking out how the nodes were communicating. For joining the network, a new node communicates with its peers and, exchanges VERSION and VERACK messages to consolidated the connection. If the exchange of these messages doesn’t happen within handshake timeout duration, another thread terminates the connection. And even if the message is malformed, the connection is alive atleast for handshake timeout period.

As a result if somehow the number of message can be increased by decreasing their individual size, we can effectively overload the node with large number of messages and consume resources even of the thread that terminates the connection.

Witnet is using protobuf encoded messages for communication. The format of protobuf messages: first four bytes tell the length of message L and next L bytes compasses the actual message. So, the smallest size of message is 4 bytes 0x00000000, with 0 length of actual message.

For 1Mbps transfer of data from malicious node, peer will receive around 32000 messages per second (each message of 32 bits). This is a huge number of messages to be processed in 1 second, as a result substantial resources of node are consumed and handshake timeout function is not called.

This bug raised because the connection was not closed on error, and node waited for timeout duration before terminating it. This attack was responsibly disclosed on 31 July. The team acknowledged the DOS possibility and fixed it within a week.