Research · Tag · Advisory

Posts tagged advisory.

6 entries · sorted: recency← All research
RESEARCH
2026-07-13

How unauthenticated simulateTransaction requests saturate an Agave RPC node's executor pool

Agave runs the simulateTransaction handler synchronously on its shared Tokio executor threads, so unauthenticated, gas-free simulate requests pin those workers and add queue latency across the validator's entire JSON-RPC tier — not just the simulate path.

Simon Morley
Read →7 min read
RESEARCH
2026-07-13

How CometBFT's SecretConnection handshake spends CPU before authenticating the peer

CometBFT completes the full SecretConnection STS handshake — an X25519 Diffie–Hellman exchange and an Ed25519 signature verification — for any connecting peer before checking whether that peer's node-ID is allowlisted, so an unauthenticated remote source can spend the node's asymmetric-crypto budget at will.

Simon Morley
Read →8 min read
RESEARCH
2026-07-13

How unbounded HTTP/2 concurrent streams let one TCP connection OOM-kill an IOTA node's public gRPC server

An IOTA node's public gRPC server accepts an unbounded number of concurrent HTTP/2 streams on a single TCP connection, so one client multiplexing around 200 concurrent GetTransactions calls drives resident memory from a few hundred MB to multiple GB in about 10 seconds until the kernel OOM-killer terminates the node.

Simon Morley
Read →7 min read
RESEARCH
2026-07-13

How an unauthenticated TLS half-open flood pins rippled's memory and crashes it under low file-descriptor limits

rippled's inbound TLS listeners on the peer port (51235) and the RPC-HTTPS port (5006) accept a partial TLS handshake with no deadline and no per-IP half-open cap, so a single source IP can pin server memory indefinitely and, at a default file-descriptor limit, crash the process.

Simon Morley
Read →8 min read
SECURITY-RESEARCH
2026-07-07

Eighteen advisories, ten node implementations, one attack class

Since NR-2026-001, eighteen advisories across ten independent node implementations. Not unrelated bugs: one recurring attack class, unauthenticated ingress surfaces where a cheap request forces disproportionate cost. Egress and memory amplification, pre-auth CPU exhaustion, connection exhaustion, and crashes.

Simon Morley
Read →1 min read
RESEARCH
2026-05-12

NR-2026-001 - Three Agave RPC architectural findings

Three architectural findings in the Agave JSON-RPC layer at v3.1.9: response amplification on getMultipleAccounts, Tokio executor saturation via simulateTransaction, and spawn_blocking pool saturation via getProgramAccounts. Architectural patterns, not rate-limit DoS - operator rate limits don't close them.

Simon
Read →12 min read