Vulnerability report highlighted attack that could have taken down the Avalanche Network
A vulnerability report was released to the public earlier today highlighting an attack that could have taken down the entire Avalanche Network, one of the largest Layer 1 blockchains.
The vulnerability was first discovered by Ethereum team lead Peter Szilagyi on March 29. At the time of discovery, Avalanche had more than $9 billion in total value locked (TVL) and a market capitalization of roughly $24 billion, according to DeFi Llama and Coingecko, respectively. This issue has since been patched.
Ava Labs declined to comment for this story.
The report released by Szilagyi laid out a timeline of events that occurred leading up to the public release, as well as details regarding the vulnerability.
When Szilagyi discovered the vulnerability on March 29, he suggested to Avalanche they push through a patch to fix it. The team responded quickly, patching the vulnerability that same day.
The vulnerability was a “remote node crash via malicious PeerList package,” Szilagyi said.
In other words, a malicious attacker could have funded an Avalanche node for roughly $179,000, sent out malicious PeerList packages (used for network communication) to other nodes, and effectively taken down the network.
The attacker could also have opted to run a non-validator node (connected to only validators vs. all nodes in the network) that would effectively give the same result but would take much longer to play out.
Szilagyi provided more details, writing, “Avalanche is very relaxed on the network connections it makes, and even a single connection is enough to take down a node.” “Since all nodes in the network connect to all validators, it’s pretty much an insta-death for the entire network,” he added
Szilagyi wrote in the case of an attacker funding a new validator to run this attack, they would opt to put in a short on the AVAX token even with the up-front cost of $179,000.
This is because “the network would rebound anyway after a few hours so no long-term value lost in the malicious validator,” Szilagy said in his report.