Witnet Network Bug Bounty: DOS Bug from Harsh Jain

For those unaware, Witnet is a Decentralised Permissionless Oracle Network planning to release Mainnet in the middle of October this year. Currently they are doing regress testing and running a Testnet Incentive Program, including a Bug Bounty Program.

I have been running a Witnet node from the start of this Testnet. Alongside that, I also started looking into the code and checking out how the nodes were communicating. In order to join the network, a new node communicates with its peers and exchanges VERSION and VERACK messages to consolidate the connection. If the exchange of these messages doesn’t happen within handshake timeout duration, another thread terminates the connection. Even if the message is erroneous, the connection is live for at least thehandshake timeout period.

As a result, if the number of messages can somehow be increased by decreasing their individual size, we can effectively overload the node with a large number of messages and even consume the resources of the thread that terminates the connection.

Witnet is using PROTOBUF encoded messages for communication. The format of PROTOBUF messages is as follows: firstly, four bytes tell the length of message L, and the next L bytes encompass the actual message. So, the smallest size of the message is 4 bytes: 0x00000000, with 0 being the length of the actual message.

For 1Mbps transfer of data from a malicious node, peers will receive around 32000 messages per second (each message containing 32 bits). This is a huge number of messages to be processed in 1 second, and as a result requires substantial resources from nodes and the handshake timeout function is not called.

This bug was therefore raised because the connection was not closed, and nodes would wait for timeout duration before terminating it. This attack was responsibly disclosed on 31 July. The team acknowledged the DOS possibility and fixed it within a week.