Péter Szilágyi discovered a flaw in Avalanche’s PeerList package on March 29, 2022
Péter Szilágyi, an Ethereum developer, has published a vulnerability report explaining how a fault he discovered in Avalanche would have brought down the entire network.
Péter Szilágyi discovered a vulnerability in Avalanche’s PeerList package on March 29, 2022, which a bad actor might have easily exploited. The Avalanche developer team swiftly patched the issue once he contacted them.
PeerList’s flaw
The Avalanche network interacts using a PeerList package that can only be transmitted by validating nodes.
explained that an attacker may exploit the vulnerability by staking the 2,000 AVAX tokens required to be a validator node and sending a malicious PeerList package to network nodes.
Szilágyi clarified;
Since all nodes in the network connect to all validators, it’s pretty much an insta-death for the entire network.
He also added;
The price is of course 2000AVAX, but I kind of find that acceptable since a nice short would net a sweet profit and the network would rebound anyway after a few hours so no long term value lost in the malicious validator.
As of March 2022, it was estimated that the market capitalization of the Avalanche network exceeded $24 billion.
If the vulnerability had been exploited by an adversary, the ecosystem would have collapsed catastrophically.
Avalanche’s Bug War
During the February 2021 introduction of the DeFi protocol Pangolin on Avalanche, the network encountered a “cross-chain finality” flaw that pushed it into “self-healing mode.”
Some validators on Avalanche accepted invalid mint transactions as a result of a high network load. As a result, the network was forced to suspend all transactions for hours.
The developers applied a quick fix and processed all pending transactions.