In a vulnerability report, Péter Szilágyi described how a coding flaw in Avalanche might have brought down the whole network.
On March 29, 2022, Péter Szilágyi discovered a bug in the PeerList package of Avalanche that a bad actor may easily exploit. The vulnerability was immediately patched after he contacted the developer team behind Avalanche.
The PeerList package, which is used by the Avalanche network for communication, can only be sent by node validators. According to Szilágyi, the vulnerability enables the attacker to simply distribute a malicious PerList package to nodes and stake the 2,000 AVAX tokens needed to be a validator node to compromise the entire network.
“Since all nodes in the network connect to all validators, it’s pretty much an insta-death for the entire network,” Szilágyi explained. “The price is of course 2000AVAX, but I kind of find that acceptable since a nice short would net a sweet profit and the network would rebound anyway after a few hours so no long term value lost in the malicious validator.”
The Avalanche network’s market value was predicted to be over $24 billion as of March 2022. In the event that the hostile hacker had taken advantage of the vulnerability, the ecosystem’s collapse would have been deadly.
The network encountered a “cross-chain finality” bug at the launch of the DeFi protocol Pangolin on Avalanche in February, which forced it to move into “self-healing mode”.
Due to the high network load, some validators in Avalanche accepted invalid mint transactions. As a result, the network was forced to stop all transactions for several hours. The problem was swiftly patched by the developers, and all pending transactions are completed.
