CVE-2024-34360 in go-spacemesh
Summary
by MITRE • 05/14/2024
go-spacemesh is a Go implementation of the Spacemesh protocol full node. Nodes can publish activations transactions (ATXs) which reference the incorrect previous ATX of the Smesher that created the ATX. ATXs are expected to form a single chain from the newest to the first ATX ever published by an identity. Allowing Smeshers to reference an earlier (but not the latest) ATX as previous breaks this protocol rule and can serve as an attack vector where Nodes are rewarded for holding their PoST data for less than one epoch but still being eligible for rewards. This vulnerability is fixed in go-spacemesh 1.5.2-hotfix1 and Spacemesh API 1.37.1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/14/2024
The vulnerability CVE-2024-34360 affects the go-spacemesh implementation of the Spacemesh protocol full node, specifically targeting the activation transaction (ATX) validation mechanism. This flaw allows malicious nodes to publish ATXs that reference incorrect previous ATXs from the same smesher, fundamentally undermining the protocol's chain integrity. The Spacemesh protocol relies on a strict chronological chain of ATXs to establish the validity of smeshers' participation and reward eligibility. When nodes can reference an earlier ATX instead of the most recent one, they effectively break the expected chain structure that ensures proper epoch progression and reward distribution.
The technical flaw stems from insufficient validation of ATX references during the publishing process. In a properly functioning Spacemesh network, each ATX must reference the immediately preceding ATX from the same smesher to maintain the sequential chain structure. This vulnerability permits nodes to bypass this requirement, allowing them to reference any previous ATX in the chain as long as it's not the most recent one. The protocol expects ATXs to form a single chain from the newest to the first ATX ever published by an identity, creating a clear chronological sequence that validates smesher participation and prevents double-spending or reward manipulation.
The operational impact of this vulnerability is significant as it creates a potential attack vector that could allow malicious actors to game the reward system. Nodes can be rewarded for holding their Proof of Space and Time (PoST) data for less than one epoch while still remaining eligible for rewards, which directly violates the protocol's economic incentives and security model. This manipulation could lead to unfair reward distribution, where nodes receive compensation for minimal participation while maintaining the computational resources required for full epoch participation. The vulnerability essentially allows for the creation of multiple valid ATX chains from the same identity, undermining the network's consensus mechanism and potentially enabling economic attacks that could destabilize the entire network.
This vulnerability maps to CWE-227, which covers deviations from standards in security features, specifically related to improper handling of security-relevant data structures. The flaw also aligns with ATT&CK technique T1059.001, which involves the execution of malicious code through the manipulation of protocol rules and data structures. The fix implemented in go-spacemesh version 1.5.2-hotfix1 and Spacemesh API 1.37.1 addresses the core validation issue by enforcing strict sequential reference checking for ATXs, ensuring that each transaction can only reference the immediately preceding ATX in the chain. This mitigation restores the protocol's expected behavior and prevents the exploitation of the chain structure manipulation that enabled the reward gaming attack. Network operators should immediately upgrade to these patched versions to prevent potential exploitation of this vulnerability and maintain the integrity of their nodes within the Spacemesh network.