Ello! Posting a summary by the security team 
Starknet Security Update: potential full node vulnerability
At Starknet, we strive to maintain the highest security standards for our ecosystem. On November 23, 2024, Guanxing Wen from CertiK found a potential vulnerability in Starknet full nodes. Below, we detail our investigation, implemented fixes, and our broader security posture.
Timeline of Events
-
2024-11-23 @ 00:04 UTC
We received a bug report from Guanxing Wen, highlighting potential vulnerability in the processing of Declare transactions which applies to v2 and v3 Declare transactions. -
2024-11-23 @ 06:06 UTC
The Security team acknowledges receipt and begins initial triage. -
2024-11-24 @ 06:12 UTC
Preliminary analysis confirms the integer overflow vulnerability does not impact the Starknet sequencer due to stricter compiler build flags. However, full nodes remain affected. -
2024-11-24 @ 19:47 UTC
A security patch is developed and tested for the integer overflow issue. -
2024-11-25 @ 16:00 UTC
Starknet disseminates updated build instructions to full-node operators. No real-world exploit is observed.
Technical Analysis
Integer Overflow in Node Infrastructure
The vulnerability centers on the Sierra bytecode decompression logic of Cairo classes, which happens on handling v2 or v3 Declare transactions. An attacker could craft a malicious transaction in such a way that a carefully chosen overflow value causes the node to enter an infinite loop, monopolizing CPU resources. While the Starknet sequencer uses a binary of the compiler built with the overflow-checks flag enabled and is therefore not exposed to this attack, , many full-node implementations used different build configurations and were therefore exposed.
Without proper overflow checks, nodes processing this malicious transaction risk full CPU saturation, potentially leading to shutdowns, service stalls, or halting the interaction between nodes and Dapps if multiple full-node operators are targeted in quick succession. Our team worked with node developers to implement strict overflow settings and additional guardrails around integer handling for each node. By enforcing these measures, the vulnerability is neutralized, and full nodes remain robust under malicious traffic.
Impact and Outcome
Node Shutdown & Potential Dapps Halting
Left unaddressed, the vulnerability can have significant consequences. The integer overflow could paralyze full nodes. A wave of such attacks might temporarily disrupt or halt node progress and its ability to process json-rpc requests.
No Real-World Exploitation
At the time of publishing, we have seen no evidence of these issues being exploited in the wild. The prompt disclosure allowed us to patch and inform the wider community before any malicious event could materialize.
Closing Thoughts
We appreciate the ongoing collaboration between Starknet, external auditors, and independent researchers. This partnership model helps us strengthen every layer of our security stack. While the official sequencer build prevented the issue from impacting mainnet operations, we strongly encourage all node operators to apply the patches.
If you are a developer or security researcher passionate about helping shape a safer blockchain future, we invite you to join our bug bounty and security programs. Continuous vigilance and collective transparency remain key pillars of Starknet’s mission to push cryptographic rollups forward in the most secure manner possible.