Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sei is a popular L1 blockchain built on Cosmos that runs both EVM and CosmWasm runtimes. After a recent infinite mint and DoS, the authors decided to try to find more bugs in it.

The function GetRawSignatureValues decodes a BlobTx submitted by the end user. When this data is being decoded, MustFromBig can underflow, resulting in a panic. This decoding of transactions happens within the FinalizeBlock code of the ABCI, which doesn't have panic handlers. So, this takes down all Sei nodes.

The proof of concept is crazily simple - a transaction with z0000000000000000000000000000000000000000000000000 as the bytes. This will lead to S value of a signature underflowing and result in a crash.

To fix the vulnerability, a recover() should be used to catch the panic. Particular parts of Cosmos don't handle panics in important code; this does the panic handling now. Good find!