Near Protocol Resolves Critical Vulnerability That Could Have Crashed Entire Network

Near Protocol Resolves Critical Vulnerability That Could Have Crashed Entire Network

Near Protocol a smart contract platform faced a critical vulnerability that had the potential to crash every node on its network effectively bringing it to a halt. This alarming finding was reported by blockchain security firm Zellic which discovered the flaw and described it as a “Web3 Ping of Death” due to its capacity to incapacitate the entire network almost instantly.

Discovery and Nature of the Vulnerability

The vulnerability was identified during an investigation into Near’s peer-to-peer networking protocol which is essential for enabling effective communication among validator nodes. The researchers discovered that nodes on the network authenticate one another using a “handshake” process that employs two types of signatures Ed25519 and SECP256K1.

While the verification process for Ed25519 signatures functioned correctly the SECP256K1 signature verification led to a “panic” response that caused the node to crash. The researchers expressed surprise that this serious flaw had not been previously detected during testing nor had it resulted in an actual network crash.

The fortunate reality was that Near node software had “no code path that allows a Near node to generate SECP256K1 type keys.” In essence while the software enabled nodes to accept SECP256K1 signatures it did not allow them to create such signatures. Consequently no node had ever accidentally crashed the network by generating SECP256K1 keys and attempting to connect to another node.

Potential for Exploitation

Despite this inherent safety feature a malicious actor could theoretically modify the node software to enable the generation of SECP256K1 keys. If successful this individual could crash any Near node by merely attempting to connect to it leading to a potential network-wide failure. This scenario exemplified the concept of a “Web3 Ping of Death.”

To validate the existence of this vulnerability the Zellic researchers created a modified version of the Near software that allowed the generation of SECP256K1 keys. They then conducted a test using a private version of the Near network in which one node operated the legitimate software while the other ran the malicious version. The results were consistent; the malicious node successfully crashed the legitimate one every time it attempted to connect.

Response and Resolution

Zellic discreetly reported the vulnerability to the Near Protocol team in December utilizing HackenProof’s bug bounty platform to facilitate the responsible disclosure. In recognition of their findings Near Protocol rewarded Zellic with $150,000 and promptly patched the node software in January.

This resolution transformed what could have been a crisis into a successful conclusion. In contrast to Near Protocol other blockchain networks have not been as fortunate in dodging flaws that led to significant downtimes. For instance in December the Arbitrum network experienced over 78 minutes of downtime due to an unexpected surge in inscription minting for which it was unprepared. Similarly in January nearly 50% of Cardano nodes went offline because of an “anomaly” which delayed block production and transaction confirmations but did not result in a complete network failure. In February Solana also faced criticism after failing to produce a block for over 25 minutes marking yet another incident of instability for the network.