{"id":66912,"date":"2022-09-09T12:05:52","date_gmt":"2022-09-09T09:05:52","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=66912"},"modified":"2025-09-07T03:49:44","modified_gmt":"2025-09-07T00:49:44","slug":"avalanche-vulnerability-could-have-caused-a-network-wide-outage","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/avalanche-vulnerability-could-have-caused-a-network-wide-outage\/","title":{"rendered":"Avalanche vulnerability could have caused a network-wide outage."},"content":{"rendered":"<p>Ethereum developer P\u00e9ter Szil\u00e1gyi described a vulnerability that could allow an attacker to take down the Avalanche network.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p dir=\"ltr\" lang=\"en\">Publishing my <a href=\"https:\/\/twitter.com\/hashtag\/Avalanche?src=hash&#038;ref_src=twsrc%5Etfw\">#Avalanche<\/a> vulnerability report from 29th March, 2022 that could have been used to take the entire network down at no cost.<\/p>\n<p>The issue was fixed way back, and with the latest Avalanche hard fork, all nodes run the patched software.<\/p>\n<p>Njoy \ud83d\ude42<a href=\"https:\/\/t.co\/nokedKF7IZ\">https:\/\/t.co\/nokedKF7IZ<\/a><\/p>\n<p>\u2014 P\u00e9ter Szil\u00e1gyi (karalabe.eth) (@peter_szilagyi) <a href=\"https:\/\/twitter.com\/peter_szilagyi\/status\/1567835617932808193?ref_src=twsrc%5Etfw\">September 8, 2022<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The bug was discovered on March 29 and it was promptly fixed the same day with Szil\u00e1gyi&#8217;s patch.<\/p>\n<p>On September 8, the developer published a detailed report with the approval of Ava Labs engineer Patrick O\u2019Grady.<\/p>\n<p>The vulnerability consisted of a &#8220;remote node crash caused by a malicious PeerList package&#8221;.<\/p>\n<p>The attacker could choose two attack routes. In one, register as a validator for 2000 AVAX (~$40,000) and disseminate infected PeerList packets, which are used for network communication.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;Since nodes connect to all validators, this would effectively be an instant death for the network,&#8221; Szil\u00e1gyi noted.<\/p>\n<\/blockquote>\n<p>He described the cost of the attack as &#8220;acceptable&#8221;. In his view, betting on a drop in the token would yield the attacker &#8220;a nice profit&#8221;. In the long run, the value of the invested funds would not suffer, because the blockchain &#8220;will recover in a few hours anyway&#8221;, Szil\u00e1gyi added.<\/p>\n<p>The second option for the attacker was to register a &#8220;non-validator&#8221; node for free to disseminate malicious packets. However, in this case stopping the network would take longer, the programmer noted.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;Avalanche is very tolerant of the network connections it establishes, and even one of them is enough to take a node offline,&#8221; the developer said.<\/p>\n<\/blockquote>\n<p>Earlier this March, Ava Labs president John Wu declined <a href=\"https:\/\/forklog.com\/en\/news\/ava-labs-chief-declines-to-call-avalanche-an-ethereum-competitor\">to call Avalanche a competitor<\/a> to Ethereum.<\/p>\n<p>Follow ForkLog&#8217;s bitcoin news on our <a href=\"\/\/telegram.me\/forklog\" target=\"\u201c_blank\u201d\" rel=\"\u201cnofollow\u201d noopener\">Telegram<\/a> \u2014 cryptocurrency news, prices and analytics.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Ethereum developer P\u00e9ter Szil\u00e1gyi described the vulnerability that could allow an attacker to take down the Avalanche network.<\/p>\n","protected":false},"author":1,"featured_media":26216,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1413,1301],"class_list":["post-66912","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-avalanche-avax","tag-blockchain-vulnerabilities"],"aioseo_notices":[],"amp_enabled":true,"views":"24","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/66912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=66912"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/66912\/revisions"}],"predecessor-version":[{"id":66913,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/66912\/revisions\/66913"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/26216"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=66912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=66912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=66912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}