Ethereum developer Péter Szilágyi described a vulnerability that could allow an attacker to take down the Avalanche network.
Publishing my #Avalanche vulnerability report from 29th March, 2022 that could have been used to take the entire network down at no cost.
The issue was fixed way back, and with the latest Avalanche hard fork, all nodes run the patched software.
Njoy 🙂https://t.co/nokedKF7IZ
— Péter Szilágyi (karalabe.eth) (@peter_szilagyi) September 8, 2022
The bug was discovered on March 29 and it was promptly fixed the same day with Szilágyi’s patch.
On September 8, the developer published a detailed report with the approval of Ava Labs engineer Patrick O’Grady.
The vulnerability consisted of a “remote node crash caused by a malicious PeerList package”.
The attacker could choose two attack routes. In one, register as a validator for 2000 AVAX (~$40,000) and disseminate infected PeerList packets, which are used for network communication.
“Since nodes connect to all validators, this would effectively be an instant death for the network,” Szilágyi noted.
He described the cost of the attack as “acceptable”. In his view, betting on a drop in the token would yield the attacker “a nice profit”. In the long run, the value of the invested funds would not suffer, because the blockchain “will recover in a few hours anyway”, Szilágyi added.
The second option for the attacker was to register a “non-validator” node for free to disseminate malicious packets. However, in this case stopping the network would take longer, the programmer noted.
“Avalanche is very tolerant of the network connections it establishes, and even one of them is enough to take a node offline,” the developer said.
Earlier this March, Ava Labs president John Wu declined to call Avalanche a competitor to Ethereum.
Follow ForkLog’s bitcoin news on our Telegram — cryptocurrency news, prices and analytics.