Platform: Code4rena
Start Date: 01/03/2024
Pot Size: $60,500 USDC
Total HM: 4
Participants: 18
Period: 21 days
Judge: Lambda
Total Solo HM: 3
Id: 344
League: POLKADOT
Rank: 12/18
Findings: 1
Award: $69.85
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Cryptor
Also found by: 0xTheC0der, Bauchibred, Daniel526, XDZIBECX, ihtishamsudo, zhaojie
69.8535 USDC - $69.85
The impact of this vulnerability could be severe. An attacker could exploit the absence of rate limiting to launch DoS attacks, causing service degradation or complete unavailability. By flooding the system with a large volume of requests, the attacker could exhaust server resources such as CPU, memory, or network bandwidth, rendering the system inaccessible to legitimate users.
pub fn batch_http_request(requests: Vec<HttpRequest>, timeout_ms: u64) -> ext::BatchHttpResult { const MAX_CONCURRENT_REQUESTS: usize = 5; if requests.len() > MAX_CONCURRENT_REQUESTS { return Err(ext::HttpRequestError::TooManyRequests); } // Send HTTP requests concurrently... } pub fn http_request( request: HttpRequest, timeout_ms: u64, ) -> Result<HttpResponse, HttpRequestError> { // Send a single HTTP request... }
In the batch_http_request function, there is a check to limit the number of concurrent HTTP requests (MAX_CONCURRENT_REQUESTS). However, there is no mechanism for rate limiting the overall volume of requests over time. This means that while the number of requests sent concurrently is limited, there is no control over the rate at which requests can be sent overall. Without rate limiting, an attacker could still flood the system with a large number of requests sequentially, bypassing the concurrent request limit and potentially causing a denial of service (DoS) attack.
Similarly, in the http_request function, there is no rate limiting mechanism implemented. Each call to this function represents a single HTTP request, and there is no restriction on the frequency or volume of these requests. Therefore, an attacker could repeatedly call this function to send a large number of requests within a short period, overwhelming the server and causing service disruption.
Manual
Rate limiting mechanisms should be implemented at the application level to control the rate of incoming HTTP requests. This can involve setting limits on the number of requests per second, per minute, or per hour, depending on the desired level of protection and the system's capacity.
Error
#0 - c4-pre-sort
2024-03-25T07:17:13Z
141345 marked the issue as primary issue
#1 - c4-pre-sort
2024-03-25T07:17:30Z
141345 marked the issue as sufficient quality report
#2 - 141345
2024-03-25T07:18:11Z
number of concurrent HTTP requests is resitricted, but not for frequency of HTTP requests
#3 - kvinwang
2024-03-26T02:18:03Z
This work should be implemented on the worker side, not at runtime. Actually, there are already some things, such as CFS-like Scheduler scheduling network IO, in the worker to handle such impacts.
#4 - kvinwang
2024-03-26T07:24:07Z
We had a discussion when designing this and decided to have a professional external firewall program handle the system level network security, which is why all outgoing requests are supported to set a SOCKS proxy server.
#5 - c4-sponsor
2024-03-26T07:26:52Z
kvinwang (sponsor) acknowledged
#6 - OpenCoreCH
2024-03-27T14:51:57Z
The fact that the runtime does not implement rate limiting does not necessarily lead to a DoS opportunity, this heavily depends on how the runtime is invoked from the workers and what the measures to limit resource usage are there. Implementing rate limiting as an additional safe guard in the runtime is a valid suggestion, therefore downgrading to QA
#7 - c4-judge
2024-03-27T14:52:08Z
OpenCoreCH changed the severity to QA (Quality Assurance)
#8 - c4-judge
2024-03-27T18:22:53Z
OpenCoreCH marked the issue as grade-b