Ethereum developer Peter Szilagyi has released a vulnerability report detailing how a bug he found in Avalanche would have crashed the entire network.
Peter Szilagyi on March 29, 2022, identified a bug in Avalanche’s PeerList package which would have been easily exploited by a malicious actor. He reached out to Avalanche’s developer team and they promptly patched the vulnerability.
Publishing my #Avalanche vulnerability report from 29th March, 2022 that could have been used to take the entire network down at no cost.
The issue was fixed way back, and with the latest Avalanche hard fork, all nodes run the patched software.
Njoy ??https://t.co/nokedKF7IZ
— Peter Szilagyi (karalabe.eth) (@peter_szilagyi) September 8, 2022
The PeerList vulnerability
The Avalanche network communicates using a PeerList package that can only be sent by node validators. Szilagyi explained that the vulnerability was such that all an attacker needed was to stake 2000 AVAX tokens required to be a validator node and send out a malicious PeerList package to nodes on the network.
Szilagyi explained:
Since all nodes in the network connect to all validators, it’s pretty much an insta-death for the entire network.
He added :
The price is of course 2000AVAX, but I kind of find that acceptable since a nice short would net a sweet profit and the network would rebound anyway after a few hours so no long term value lost in the malicious validator.
As of March 2022, the market capitalization of the Avalanche network was estimated at over $24 billion. The crash of the ecosystem would have been fatal if the vulnerability was hijacked by a malicious attacker.
Avalanche’s battle with bugs
During the launch of DeFi protocol Pangolin on Avalanche in February 2021, the network suffered a “cross-chain finality” bug that forced it to enter a “self-healing mode.”
Avalanche experienced a heavy network load that caused some validators to accept some invalid mint transactions. Consequently, the network had to halt all transactions for hours. The developers quickly patched the issue and completed all pending transactions.
