The security hole was first discovered by the team leader Ethereum Peter Szilagyi. At that time, Avalanche is the place"anchor beans” of more than $9 billion in total locked value (TVL) and $24 billion in market capitalization, according to DeFi Llama and Coinecko. But the bug has been patched and Ava Labs declined to comment on this.
Publishing my #Avalanche vulnerability report from 29th March, 2022 that could have been used to take the entire network down at no cost.— Peter Szilágyi (karalabe.eth) (@peter_szilagyi) September 8, 2022
The issue was fixed way back, and with the latest Avalanche hard fork, all nodes run the patched software.
The report published by Szilagyi outlined the timeline of events as well as the details related to the security vulnerability. Specifically, Szilagyi discovered the vulnerability on March 29 and opened an offer to Avalanche to patch it. The team responded and quickly repaired the same day.
This is a “remote node problem”. Roughly speaking, someone loaded an Avalanche node around $179,000 to send malicious PeerList packets (used for network communication) to other nodes and effectively take the network down.
The attacker could also have chosen to launch an unauthenticated node (connected only to the validator instead of all nodes in the network), which would produce the same result but would take longer.
Szilagyi provides one more fact:
“Avalanche is so comfortable on their network that even a single connection is enough to take down a node. Since all the nodes on the network are connected to all the validators, this is a big death.”
In the event that an attacker funds a new validator to carry out the attack, they will choose to short AVAX even at an upfront cost of $179,000. This is because “the network recovers in a few hours anyway so no lasting value is lost.
In the context of the market cryptocurrency is still facing many difficulties, Avalanche has to deal with another "shock". Recently, an article by Crypto Leaks exposed the truth of the platform's underground operations and exposed a series of other naked plots. AVAX price on August 29 experienced a "panic", falling to 17.84 USD but has gradually recovered to the present time.