Full Report
Sui is a layer 1 blockchain is famous for its speed and concurrency. By being architected in this way and using Rust under the hood, it hits incredible speeds. The tldr; of the vulnerability is a out of memory denial of service bug that's not particularly interesting. However, the explanation of the eco-system is interesting and I'll post that for myself here. Sui uses Narwhal as a mempool (pending transaction list) implementation and Bullshark for the consensus engine (synchronize network between validators). This is done by Narwhal parallel orders of transactions into batches where Bullshark figures out a DAG to form these from. Under the hood, Bullshark uses the BFT consensus algorithm. Sui network transactions happen with the following steps: Send transaction to a full node, which will send to all of the other validators, which perform checks on these. A quorum of 2/3 (after weights on the voters) is collected. Once this is true, the information about the vote is broadcasted across the network with a combined certificate. Each validator checks the certificate. If it's valid, it will execute the transaction locally. Optionally, the quorum driver can collect an effects certificate based on the previous step and return it to the sender as proof of finality. When processing the incoming certificate, the logic for this does not consider a malicious user. A user can put an infinite amount of digests within the certificate then grabs the corresponding certificates for these digests. By providing a large amount of digests and large certificates, this turns into a denial of service vulnerability. Sending a 37MB payload with 1.2M digests triggers an out of memory exception, crashing the blockchain. Honestly, I wish the report was smaller. Most of the information wasn't required to understand the bug... but, DoS to take down blockchains is interesting none-the-less.
Analysis Summary
# Vulnerability: Sui Validator Node Out-of-Memory (OOM) Denial of Service
## CVE Details
- **CVE ID**: Not explicitly listed in the provided text (common for internal bug bounty disclosures, often tracked by Sui team internally).
- **CVSS Score**: High Severity (Per Immunefi classification)
- **CWE**: CWE-400 (Uncontrolled Resource Consumption) / CWE-770 (Allocation of Resources Without Limits or Throttling)
## Affected Systems
- **Products**: Sui Blockchain Validator Nodes
- **Versions**: Versions prior to the July 2023 patch.
- **Configurations**: Default validator node configurations using the Narwhal mempool and Bullshark consensus engine.
## Vulnerability Description
The vulnerability is a Denial of Service (DoS) flaw caused by improper validation of incoming transaction certificates. In the Sui ecosystem, a validator processes "certificates" which are transactions coupled with a quorum of signatures.
The logic responsible for processing these certificates failed to impose strict limits on the number of digests (transaction identifiers) contained within a single certificate. A malicious actor could craft a certificate containing an excessive number of digests. When a validator attempts to process this "bloated" certificate, it attempts to fetch and store the corresponding data in memory. This leads to an Out-of-Memory (OOM) exception, causing the validator process to crash.
## Exploitation
- **Status**: PoC available (demonstrated by whitehat @f4lt); disclosure handled via bug bounty.
- **Complexity**: Medium (requires knowledge of Sui's certificate structure and BFT consensus).
- **Attack Vector**: Network (Remote)
## Impact
- **Confidentiality**: None
- **Integrity**: None
- **Availability**: High (A 37MB payload containing ~1.2 million digests was sufficient to crash a node. If broadcast to the network, this could result in a total network shutdown by crashing >1/3 of the validator set, preventing consensus).
## Remediation
### Patches
- The Sui team released a fix shortly after the July 15, 2023, disclosure. Node operators should ensure they are running current versions of the Sui validator software.
### Workarounds
- No practical workarounds exist for individual nodes other than upgrading software, as the flaw resides in the core logic of certificate processing which is essential for network participation.
## Detection
- **Indicators of compromise**: Unusual spikes in memory usage on validator nodes followed by process crashes; logs indicating OOM (Out of Memory) errors during certificate verification or Narwhal/Bullshark synchronization.
- **Detection methods and tools**: Standard infrastructure monitoring (Prometheus/Grafana) to alert on memory exhaustion in `sui-node` processes.
## References
- Immunefi Bugfix Review: hxxps[://]medium[.]com/immunefi/sui-temporary-total-network-shutdown-bugfix-review-c271d0319dcc
- Narwhal & Bullshark Research: hxxps[://]arxiv[.]org/pdf/2105.11827.pdf
- Sui Documentation: hxxps[://]docs[.]sui[.]io/