Full Report
Move blockchains are pretty rare about this point. There are only Sui and Aptos that are using it to my knowledge. Move by itself is not completely safe from cross-contract alterations and other weird problems. To resolve this, there is a static verifier running at compile time. Sui implements a distinct memory model compared to the original Move implementation by using a customized version of the Move VM. Upon adding these features, Sui decided to add custom verifiers to ensure the safety of the programs being executed such as the bounds checker. All of this is achieved with the high level concept of the abstract interpreter framework designed for doing security analysis on bytecode. The abstract interpreter contains a control flow graph with an understanding of the states that it may jump to prior to the execution of a basic block. If there are no loops, the linear execution is simple for validating simple flow. With a loop, the merging of states is done. The Sui blockchain contains an object-centric global storage model, which is different than the original Move design. Objects can have a unique ID with the key ability. A verifier is ran to ensure that the ID is unique per object. So, where's the bug at? Still more background! The verifier integrates with the Move Abstract Interpreter in the AbstractState::join() function. This function merges and updates state values iteratively like we mentioned before. For each local variable in the incoming state, it compares the value to its current value. If the two valeus are unequal, then the changed flag is added to perform a AbstractValue::join() call and to go over this iteratively again. There is an order of operations problem here though. AbstractState::join() may indicate a change due to the differing new and old values but the state value after the update might remain the same. This occurs because the AbstractState is processed before the AbstractValue. By triggering this state, it's possible to initiate an infinite analysis loop. This infinite loop would bring the network to a complete halt. To fix this, a hard fork of the software would be required. As a result, this leads to a critical severity issue. To fix this problem, Sui changed the order of operations between the AbstractValue and AbstractState. On top of this, the verifier can now timeout as well, mitigations impacts of these types of bugs in the future.
Analysis Summary
# Vulnerability: The HamsterWheel - Infinite Loop in Sui Move Verifier
## CVE Details
- **CVE ID:** CVE-2023-34451
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
## Affected Systems
- **Products:** Sui Blockchain (Sui Move VM)
- **Versions:** Versions prior to commit `7915de5` (April 2023)
- **Configurations:** Systems running the `IDLeak` verifier within the Move Abstract Interpreter framework.
## Vulnerability Description
The vulnerability exists in Sui’s custom `IDLeak` verifier, which ensures that object IDs remain unique and immutable. This verifier integrates with the Move Abstract Interpreter's iterative analysis process.
When analyzing code containing loops, the `AbstractState::join()` function is responsible for merging states from different execution paths. Due to an "order of operations" flaw, `AbstractState::join()` could indicate that a state change occurred because the incoming value differed from the current value. However, after the internal `AbstractValue::join()` call was processed, the resulting state remained effectively the same as the previous iteration. This created a logic flaw where the "changed" flag was perpetually triggered, causing the Abstract Interpreter to re-analyze the block indefinitely.
## Exploitation
- **Status:** PoC available (reported by CertiK); not exploited in the wild prior to discovery.
- **Complexity:** Medium (Requires crafting a specific Move bytecode payload with a malicious loop structure).
- **Attack Vector:** Network (Submitting a malicious contract for publishing or upgrading).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Critical (Infinite loop during verification causes validators to hang, leading to a complete network halt).
## Remediation
### Patches
- **Sui Source Code:** Fixed in commit `7915de5` on April 28, 2023.
- **Logic Fix:** Sui reordered the operations between `AbstractValue` and `AbstractState` to ensure the "changed" flag accurately reflects a terminal state.
### Workarounds
- **Metering/Timeouts:** Sui extended "tick-based" metering to every verifier pass. If verification exceeds a specific computation threshold, the validator refuses to sign the transaction, preventing the hang.
- **Denylisting:** Implementation of a `Transaction Denylist` and `Certificate Denylist` allows validators to ignore specific malicious transactions or certificates that trigger known crashes.
## Detection
- **Indicators of Compromise:** Validator nodes showing 100% CPU utilization on a single thread without progressing through blocks; logs indicating a transaction stuck in the `IDLeak` verifier pass.
- **Detection Methods:** Static analysis of Move bytecode for specific loop regularities that bypass the Abstract Interpreter's fixed-point convergence.
## References
- **Vendor Advisory:** Mysten Labs (Sui) Security Update
- **CertiK Research:** hxxps[://]www[.]certik[.]com/blog/technical-blogs/the-hamsterwheel-an-in-depth-exploration-of-a-novel-attack-vector-on-the-sui-blockchain
- **GitHub Repository:** hxxps[://]github[.]com/MystenLabs/sui/commit/7915de5