Skip to content

rdin777/-op-stack-state-panic-

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

-op-stack-state-panic-

If this research helped you, please consider giving it a ⭐ Star.

🚀 Stay Updated

Found this research useful?

  • Star ⭐ this repo to keep track of it.
  • Follow me on GitHub for more DeFi security research.
  • Fork it if you want to run your own experiments.

☕ Support the Research

If you appreciate the work and want to support further security research:

Donate QR

Wallet Address (ETH/EVM): 0xBDDD7973D0DE27B715A4A5cbdb87d0DF78757b3A

Proof of Concept for a Nil Pointer Dereference vulnerability in Optimism-Geth (op-geth) state management, leading to node panic (DoS).

📝 Disclosure Status

  • Platform: HackerOne
  • Program: Coinbase (Optimism/op-geth)
  • Status: Duplicate (Report #3509907)
  • Note: This vulnerability was discovered independently. Although it was previously reported by another researcher, this repository documents my unique approach to identifying the Nil Pointer Dereference in StateDB and providing a fix.

Markdown

Vulnerability Research: Node Panic in Optimism-Geth (op-geth)

Overview

This repository contains a Proof of Concept (PoC) for a Nil Pointer Dereference vulnerability discovered in the state management logic of op-geth (the engine powering Base and Optimism L2s). The vulnerability leads to an immediate node crash (DoS) during specific state revert operations.

Technical Analysis

The panic occurs when the state journal attempts to revert a nonceChange for an account that has been destroyed and removed from the active state database within the same transaction/block.

  • Type: Denial of Service (DoS)
  • Component: core/state
  • Root Cause: nil pointer dereference in stateObject.setNonce
  • Status: Reported via HackerOne (Informative)

Stack Trace Highlights

panic: runtime error: invalid memory address or nil pointer dereference
goroutine 7 [running]:
[github.com/ethereum/go-ethereum/core/state.(*stateObject).setNonce](https://github.com/ethereum/go-ethereum/core/state.(*stateObject).setNonce)(...)
    /home/as/op-geth/core/state/state_object.go:570
[github.com/ethereum/go-ethereum/core/state.nonceChange.revert](https://github.com/ethereum/go-ethereum/core/state.nonceChange.revert)(...)
    /home/as/op-geth/core/state/journal.go:369
Proof of Concept
The issue can be reproduced by chaining CreateAccount, SelfDestruct, and RevertToSnapshot on the same address. See op_stack_revert_panic_test.go for the full implementation.

Impact
An attacker could potentially craft a transaction that, when processed by a sequencer or a validator node, causes the node to panic and shut down. In a network environment, this could lead to a halt in block production or synchronization issues.

About

Proof of Concept for a Nil Pointer Dereference vulnerability in Optimism-Geth (op-geth) state management, leading to node panic (DoS).

Topics

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages