NEAR patches ‘Web3 Ping of Death’ vulnerability that could crash network
NEAR protocol had a critical vulnerability that could allow an attacker to crash all network nodes, effectively shutting it down. Discovered by Zellic, the flaw was patched in January, but similar vulnerabilities may exist in other networks. Dubbed a “Web3 Ping of Death,” the issue arose from the peer-to-peer networking protocol used for validator communication. The vulnerability stemmed from the acceptance of two cryptographic signature types, where one type (SECP256K1) could crash nodes during verification due to coding errors. Although NEAR software could not generate SECP256K1 keys, a malicious actor could modify it to exploit this flaw. Zellic demonstrated the vulnerability by creating a malicious version of NEAR software that successfully crashed legitimate nodes. The NEAR team rewarded Zellic $150,000 for the disclosure and implemented a patch. Other blockchains have faced similar issues, with notable outages affecting Arbitrum, Cardano, and Solana.
