bug: malformed operator response can crash the aggregator #1747

Oppen · 2025-01-16T19:08:35Z

From cantina#32. Transcript:

Due to a nil dereference, a malicious operator can bring down an aggregator by nil dereference when verifying the bls key.

Inside SendSignedTaskResponseToAggregator(), a call is made to the aggregator.

The payload that is provided is from the following type:

type SignedTaskResponse struct {
	BatchMerkleRoot [32]byte
	SenderAddress [20]byte
	BatchIdentifierHash [32]byte
	BlsSignature    bls.Signature
	OperatorId      eigentypes.OperatorId
}
If we take a look further inside bls.Signature:

type Signature struct {
	*G1Point `json:"g1_point"`
}
We see that it is a pointer to G1Point.

This opens up the ability of any operator to force the receiving aggregator to panic.

Please follow along with the Proof of Concept below, which will demonstrate the panic on a running localnet.

Given we don't control the signature type and forking would be overkill, the fix consists in adding a nil-check.

The text was updated successfully, but these errors were encountered:

Oppen added aggregator audit cantina Audit report from Cantina labels Jan 16, 2025

Oppen mentioned this issue Jan 17, 2025

hotfix(aggregator): nil dereference for invalid signature #1753

Merged

14 tasks

MauroToscano closed this as completed in #1753 Jan 28, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

bug: malformed operator response can crash the aggregator #1747

bug: malformed operator response can crash the aggregator #1747

Oppen commented Jan 16, 2025

bug: malformed operator response can crash the aggregator #1747

bug: malformed operator response can crash the aggregator #1747

Comments

Oppen commented Jan 16, 2025