FullNode 40+min desync + unprotected wallet APIs (pre-v4.8.1)

[whathehack81]

FullNode 40+min desync + unprotected wallet APIs (pre-v4.8.1)

Environment:

• FullNode version: [check logs/docker]
• Node: 127.0.0.1:8090
• OS: Kali Linux host

Problem:

1. 40+min chain desync: getnodeinfo shows block:empty, peers:0 (sync.csv = 29K lines proof)
2. Unprotected APIs: /wallet/* process malformed addresses (TTest111...) → 200 OK, 0-byte
3. No rate limiting: 198K requests in 2min (malformed-flood.csv proof)

Repro:

Monitor desync

while true; do curl localhost:8090/wallet/getnodeinfo | jq .block,.currentConnectCount; sleep 1; done
Flood test

curl -s "localhost:8090/wallet/triggerconstantcontract"
-H "Content-Type: application/json"
-d '{"owner_address":"TTest11111111111111111111111111111111"}'

text

Impact:

• Validator offline 40+min = missed blocks
• Unlimited malformed requests = trivial DoS
• Public FullNode exposure risk

Attachments:
POC VIDEO SHOWING THE EXACT STEPS

sync.csv
nowblock-tx.json
malformed-pids.txt
malformed-flood.csv
live_contracts.txt
impact-malformed.csv
block-903-post.json

[whathehack81]

CRITICAL UPDATE: 595,368 PIDs Spawned

$ cat malformed-pids.txt | wc -l
595368

FullNode spawns 1 PID per malformed request = TOTAL PROCESS EXHAUSTION

• 198K requests → 595K processes
• No cleanup/reaping mechanism
• Validator OOM killed

This = legitimate DoS (CWE-400 / CWE-770)

[whathehack81]

HackerOne #3692209 Filed
595K PIDs = confirmed DoS via malformed processing
Files on H1: https://hackerone.com/reports/3692209

[abn2357]

Rate limiting can be configured via the rate.limiter setting in the configuration file. Both per-API and global rate limiting are supported.

[whathehack81]

Rate limiting PROVES the vulnerability:

1. 100 parallel malformed addresses → 429 Rate Limit (log attached)
2. Server processed malformed payloads (volume protection bypassed)
3. Each triggers contract execution + InvalidParameterException
4. 595K PIDs / 40min outage = demonstrated amplification

Key evidence: Rate limiter fired AFTER malformed validation failed.
Valid volume = rejected early. Malformed volume = processed → rate limited.

Not rate limiting issue: Malformed bypasses input validation entirely.
Fix: Reject "TTest..." at boundary (HTTP 400), before ANY processing.

Attachments: malformed-100.log (100x HTTP 429 from malformed processing)

[halibobo1205]

Hi @whathehack81, thanks for the report.

Please do not file a public ticket mentioning the vulnerability. Public issues can expose attack details before a fix is available and put other node operators at risk.

To report a vulnerability in TRON, please use one of the following channels:

• HackerOne: https://hackerone.com/tron_dao
• Email: bounty@tron.network

Please read the [disclosure policy](https://www.hackerone.com/disclosure-guidelines) for more information about publicly disclosed security vulnerabilities. See also our [SECURITY.md](https://github.com/tronprotocol/java-tron/blob/develop/SECURITY.md).

Since you've already submitted this through HackerOne (Report #3692209), the security team will follow up with you there. We'll close this public issue to prevent further disclosure of attack details, and all triage, discussion, and remediation will continue on the HackerOne report.

Thanks again for taking the time to report — we appreciate it, and we'll keep the conversation on H1.

[whathehack81]

Okay I apologize I didn't know that issues that were public. I thought I requested to make it private. I'm sorry.

[waynercheung]

+1 to @halibobo1205 - HackerOne is the right channel for this. Happy to help on H1 side if the security team needs another pair of eyes on the HTTP path.