Originally published on: October 08, 2024
A recent report from blockchain security firm Zellic revealed a critical vulnerability in the Near Protocol smart contract platform that had the potential to crash every node on the network, effectively shutting it down. The vulnerability, dubbed the “Web3 Ping of Death,” was discovered and patched in January, but similar flaws may still exist on other networks.
The vulnerability was found in Near’s peer-to-peer networking protocol for validator nodes, which allows validators to communicate with each other. While verifying one type of signature, Ed25519, worked as intended, verifying SECP256K1 signatures resulted in a system crash.
Interestingly, the vulnerability had not caused any network crashes prior to its discovery due to the absence of a code path that allowed Near nodes to generate SECP256K1 keys. However, malicious actors could potentially exploit this flaw to crash any Near node by altering the software to generate SECP256K1 keys.
To validate the vulnerability, researchers created a malicious version of the Near software that allowed the generation of SECP256K1 keys. Testing on a private testnet confirmed that the malicious node successfully crashed the legitimate one every time.
Upon discovery, Zellic disclosed the vulnerability to the Near team and received a $150,000 reward through HackenProof’s bug bounty platform. The team promptly issued a patch in January to address the security flaw and prevent network crashes.
While Near Protocol was able to swiftly remediate the vulnerability, other blockchain networks have experienced similar issues resulting in network downtime. By addressing vulnerabilities proactively, blockchain networks can ensure the stability and security of their platforms for users and investors.
