Ethereum lead developer saved Avalanche from over $24B ecosystem crash Ethereum lead developer saved Avalanche from over $24B ecosystem crash
Péter Szilágyi on March 29, 2022, identified a bug in Avalanche's PeerList package which would have been easily exploited by a malicious actor.
2 min read
Updated: Sep. 8, 2022 at 9:31 pm UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
Ethereum developer Péter Szilágyi has released a vulnerability report detailing how a bug he found in Avalanche would have crashed the entire network.
Péter Szilágyi on March 29, 2022, identified a bug in Avalanche’s PeerList package which would have been easily exploited by a malicious actor. He reached out to Avalanche’s developer team and they promptly patched the vulnerability.
Publishing my #Avalanche vulnerability report from 29th March, 2022 that could have been used to take the entire network down at no cost.
The issue was fixed way back, and with the latest Avalanche hard fork, all nodes run the patched software.
Njoy 🙂https://t.co/nokedKF7IZ
— Péter Szilágyi (karalabe.eth) (@peter_szilagyi) September 8, 2022
The PeerList vulnerability
The Avalanche network communicates using a PeerList package that can only be sent by node validators. Szilágyi explained that the vulnerability was such that all an attacker needed was to stake 2000 AVAX tokens required to be a validator node and send out a malicious PeerList package to nodes on the network.
Szilágyi explained:
“Since all nodes in the network connect to all validators, it’s pretty much an insta-death for the entire network.”
He added:
“The price is of course 2000AVAX, but I kind of find that acceptable since a nice short would net a sweet profit and the network would rebound anyway after a few hours so no long term value lost in the malicious validator.”
As of March 2022, the market capitalization of the Avalanche network was estimated at over $24 billion. The crash of the ecosystem would have been fatal if a malicious attacker had hijacked the vulnerability.
Avalanche’s battle with bugs
During the launch of the DeFi protocol Pangolin on Avalanche in February 2021, the network suffered a “cross-chain finality” bug that forced it to enter a “self-healing mode.”
Avalanche experienced a heavy network load that caused some validators to accept some invalid mint transactions. Consequently, the network had to halt all transactions for hours. The developers quickly patched the issue and completed all pending transactions.
Mentioned in this article
Author 
Christian Nwobodo
Christian is a crypto-curious nerd who loves to investigate how protocols work under the hood. Christian is interested in DeFi protocol research, token economics, and on-chain analytics.
Latest Avalanche Stories
In this article
Avalanche is an umbrella platform for launching decentralized finance (DeFi) applications, financial assets, trading and other services.
Ava Labs
Ava Labs makes it simple to launch decentralized finance applications on Avalanche, the fastest smart contracts platform in the blockchain industry.
Péter Szilágyi is a Software Developer at Ethereum, a decentralized, open-source blockchain with smart contract functionality. He developed the Iris, a decentralized approach to backend messaging middlewares..
