The eth_call API in AvalancheGo has a critical DoS vulnerability due to excessive gas limits, inefficient logging, and lack of rate limiting. Attackers can exploit these issues to overload the node's resources, causing it to crash or become unresponsive. To mitigate this, adjustments to gas limits, improved logging practices, and the implementation of rate limiting are recommended.
Exploit PoC Script: https://gist.github.com/lj1nu/694f1ea2f2e3f97e40a6f53f2f915f0d
Video: https://youtu.be/WXMERc4akBE
The Avalanche network can be broken down into two components. The first component is validators. Validators produce and perform consensus over blocks. As long as a sufficient number of validators are online and able to communicate over the p2p network, the Avalanche network will remain online and be able to confirm new transactions. The second component is non-validators. Non-validators are able to synchronize the network and submit new transactions into the network.
Transactions are typically first issued through AvalancheGo’s HTTP API on a non-validator and then gossiped to validators using the p2p network. These HTTP APIs are expected to only be accessible by trusted users or to have external rate limiting. AvalancheGo will log warnings if the HTTP API is binding to a potentially public interface:
**https://github.com/ava-labs/avalanchego/blob/7455c9971e3dd06d3248daf716ce678cfb2abd16/node/node.go#L1000-L1004**.
Note that the HTTP API is completely unrelated to the p2p network. The HTTP API is not exposed by the p2p network.
Even if some validators are misconfigured to have public HTTP APIs, the Avalanche network is designed to handle a threshold of nodes being crashed. Additionally, Ava Labs provides a free validator monitoring service which checks for validators that are misconfigured to have public HTTP APIs. Based on our analysis, validators do not commonly have public HTTP APIs.
For these reasons, we have explicitly marked DoS vulnerabilities in AvalancheGo’s HTTP API as out-of-scope. Specifically, this report seems to fall inside of the following out-of-scope definition:
Any usage of the node's HTTP API through intended mediums. Intended mediums include usage:
If you’d like to report a bug in https://api.avax.network, you should make a report to the avalabs bounty program: **https://immunefi.com/bug-bounty/avalabs/**. To be clear, however, https://api.avax.network does enforce rate limiting. The rate limiting is more complex than simply limiting the rate of inbound requests. As expected by AvalancheGo, the rate limiting occurs externally from the node instance for this service.
AvalancheGo is a core component of the Avalanche blockchain, implementing essential functions such as consensus and peer-to-peer (P2P) networking. To support Ethereum Virtual Machine (EVM) compatibility, AvalancheGo integrates the coreth module, which manages EVM core implementation and EVM-related API calls like eth_call and eth_estimateGas .