Wednesday 07 Aug 2024, at approximately 09:35 UTC, our partners at MAKE noticed an uptick in transactions on Testnet. They investigated these transactions and discovered that a vast number of transactions had been submitted within a couple of hours, all of which called the add_bid routine on the auction contract.
MAKE informed the Casper Association of their discovery at approx. 12:32 UTC. A team of technical staff from the Association and Casper Labs immediately began monitoring the situation and discussing how best to deal with it.
The attack vector leverages the fact that there is no minimum value specified for the add_bid function on the auction contract. The attackers used this to submit tens of thousands of transactions calling the add_bid function with a near-zero bid amount, at little to no cost, on the testnet network.
The fact that each call to the add_bid function must be stored permanently on chain, and the vast number of bogus transactions submitted, led to an increase in CPU load, I/O writes and storage consumption. This negatively impacted chain performance. The extent of this impact was not systemically significant, but it could easily have been scaled exponentially, to the point where it could have had a significant impact on chain performance.
Both changes are visible in the release chainspec.toml. The binary has been updated to support the new minimum bid value, and to change the add_bid data type from u32 to u64. These changes are intended to prevent a dusting vector on the auction state.
Post activation, no further steps are necessary on the part of the community. No funds were compromised, and Mainnet was not affected. Casper Association, MAKE & Casper Labs collaborated effectively and with agility to diagnose and remediate the problem.
To report any security incident or concern:
NOTE: Do not post specifics of any potential vulnerabilities in a public comms channel, such posts will be deleted for security reasons.
