An Ethereum Core Dev Saved Avalanche From $24B Network "Insta-Death"
In March, Péter Szilágyi found a vulnerability in Avalanche that had the potential to take down the entire network. Now it’s been patched, he’s revealed how bad things could have been if the bug were exploited.
- Ethereum developer Péter Szilágyi has released an Avalanche Vulnerability report from March 29.
- In the report, Szilágyi explained how he identified a bug that had the potential to completely crash the Avalanche network.
- The vulnerability was promptly patched after Szilágyi alerted Avalanche's developer team.
Share this article
A malicious actor could have taken down the entire Avalanche network for less than $200,000.
Avalanche Vulnerability Revealed
A since-patched vulnerability with the power to take down the Avalanche blockchain has been revealed.
Ethereum core developer Péter Szilágyi released an Avalanche Vulnerability report Thursday, detailing a critical bug he found in the Avalanche network code earlier this year. In the report, dated March 29, 2022, Szilágyi explained how Avalanche was vulnerable to attack by sending a malicious PeerList package to nodes and validators on the network.
Hypothetically, an attacker could have started up a new validator node, sent out malicious packets to other nodes and validators, and instantly crashed the entire Avalanche network. “Since all nodes in the network connect to all validators, it’s pretty much an insta-death for the entire network,” Szilágyi wrote.
While such an attack would have cost 2,000 AVAX tokens to fund the new validator node, it would have been a small price to pay for the potential mayhem such a move could have produced. Szilágyi explained that a malicious actor could easily recoup the cost by opening a short position against AVAX before the attack, essentially allowing them to take the network down at no cost to themselves. When the vulnerability was discovered, 2,000 AVAX tokens could have been purchased on the open market for around $179,000. At the same time, Avalanche’s market capitalization stood at over $24 billion.
Crypto Briefing reached out to Szilágyi to ask about how he came across the vulnerability. “I was trying to wrap my head around how the [Avalanche] networking works and found the packet handling a bit peculiar for my taste,” he explained. “So I wrote a fuzzer to see if I can choke it. It went boom fairly fast.” After discovering the bug, Szilágyi contacted Avalanche’s developer team, who promptly patched it a day later in the avalanchego v1.7.9 upgrade.
Avalanche is one of several Layer 1 networks that soared in popularity during the 2021 bull market. In response to rising fees on Ethereum mainnet, users flocked to competing smart contract-enabled networks to participate in DeFi and mint NFTs for a fraction of what it cost on Ethereum. The network’s native AVAX token hit an all-time high of $144.96 on Nov 21, 2021, after trading at around $3.21 at the beginning of the year. In 2022, it’s price has suffered along with the rest of the crypto market in response to the Federal Reserve’s interest rate hikes and worsening macroeconomic conditions. AVAX currently trades at around $18.81.
Crypto Briefing reached out to Ava Labs for comment but did not receive a response at press time.
Disclosure: At the time of writing this piece, the author owned ETH and several other cryptocurrencies.