// This PoC demonstrates the DoS vulnerability in SXT Node where notification protocols
// are registered without rate limiting parameters (max_notifications_per_peer and rate_limit_allowed_bytes)
// in node/src/service.rs, allowing a malicious peer to flood the network with unlimited messages.
use std::time::{Duration, Instant};
use std::sync::atomic::{AtomicU64, Ordering};
use std::sync::Arc;
use tokio::time::sleep;
vks this-vishalsingh
🎯
this-vishalsingh
/ poc-draft.md
Last active
May 20, 2025 15:01
Notification Protocol DoS Vulnerability PoC
this-vishalsingh
/ DoS-poc.md
Last active
May 19, 2025 14:24
Unbounded Message Processing Leads to Critical Validator Denial of Service
The EVM message processing functionality in the system_tables pallet lacks proper bounds on message count and size, creating a critical DoS vulnerability that can render validators unresponsive for extended periods. This has been confirmed through a functional proof of concept.
When analyzing the codebase in pallets/system_tables/src/lib.rs, I identified that the process_evm_message() function contains a vulnerability where it processes an unbounded number of rows with messages of unlimited size:
pub fn process_evm_message<T: Config>(request: SystemRequest) -> DispatchResult {
request
.rows()
this-vishalsingh
/ RepayPoC.md
Created
May 13, 2025 15:40
Double spend in `AlchemistV3:repay()` leads to loss of funds
// SPDX-License-Identifier: GPL-3.0-or-later
pragma solidity 0.8.26;
import {Test} from "../../lib/forge-std/src/Test.sol";
import {console} from "../../lib/forge-std/src/console.sol";
import {AlchemistV3} from "../AlchemistV3.sol";
import {IERC20} from "../../lib/openzeppelin-contracts/contracts/token/ERC20/IERC20.sol";
import {SafeERC20} from "../libraries/SafeERC20.sol";