Any Antelope Node operator (WAX Nodes included) need to update their nodes to the patched versions asap to ensure their services remain stable.
The Antelope team discovered a Denial of Service (DoS) vulnerability which is affecting all Leap versions of the antelope blockchain software. This was communicated to top ranked Node operators across all Antelope chains on 2023-07-08 with a 48 hour notice before the patch was going to be released. The 48h notice is to ensure network stability since this vulnerability affects all nodes, including validator nodes.
The 48h notice for Block Producers is to ensure they have time to prepare for the update as it affects all nodes, including Validators. This is to ensure we have secure networks.
The vulnerability was discovered through an internal process by the antelope team, and we don't know of any case where it has been exploited. The exploit could be triggered through onchain actions which would result in crashes of the Nodeos software. With this patch they also addressed a bug where more memory was used than what was billed to the user. With the patch, both of these were patched which would result in reduced memory usage to match the billed amount.
This Vulnerability doesn't affect users or accounts.
It's strictly for Node operators where their node can crash from onchain actions.
Your accounts and assets are SAFE
Update all WAX Nodes to the latest releases
The Hotfix and updates are included in the following releases: 3.1.5, 3.2.4 and 4.0.4
There is also a wax-323wax01-hotfix if you do not want to update from 3.2.3, but want the patch.
APT package:
Ubuntu 18.04 - https://eosswedenorg.github.io/apt/wax/bionic
Ubuntu 20.04 - https://eosswedenorg.github.io/apt/wax/focal
Ubuntu 22.04 - https://eosswedenorg.github.io/apt/wax/jammy
Install WAX using apt - Up to date guide found in the apt repo
# If you need to add the gpg key
$ sudo apt-get install software-properties-common
$ curl -sS https://apt.waxsweden.org/key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/eossweden-2023.gpg > /dev/null
$ sudo apt-get install software-properties-common
$ curl -sS https://apt.waxsweden.org/key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/eossweden-2023.gpg > /dev/null
# Add the repository
# Ubuntu 18.04
$ sudo apt-add-repository -y 'deb [arch=amd64] https://apt.waxsweden.org/wax bionic stable'
# Ubuntu 20.04
$ sudo apt-add-repository -y 'deb [arch=amd64] https://apt.waxsweden.org/wax focal stable'
$ sudo apt-add-repository -y 'deb [arch=amd64] https://apt.waxsweden.org/wax focal stable'
# Ubuntu 22.04
$ sudo apt-add-repository -y 'deb [arch=amd64] https://apt.waxsweden.org/wax jammy stable'
$ sudo apt-add-repository -y 'deb [arch=amd64] https://apt.waxsweden.org/wax jammy stable'
# To install the new version
$ sudo apt-get update
$ sudo apt-get install wax-leap-315wax01
# Nodeos versions from the apt is located in: /usr/opt
# Nodeos versions from the apt is located in: /usr/opt
For Antelope releases (Not WAX Adapted) - https://eosswedenorg.github.io/apt/antelope
Git Repo - Source:
3.1.5 - https://github.com/cc32d9/wax-leap/releases/tag/v3.1.5wax01
3.2.4 - https://github.com/cc32d9/wax-leap/releases/tag/v3.2.4wax01
4.0.4 - https://github.com/cc32d9/wax-leap/releases/tag/v4.0.4wax01
Summary
The exploit was found during internal testing by the Antelope team. There is no known case where this exploit has been used.
This is a security patch to the antelope software that applies to all nodeos instances and should be patched as soon as possible.
You can read more about this release and security patch here: https://github.com/AntelopeIO/leap/releases/tag/v4.0.4