Consensus Bypass via Environment Variable Manipulation

[bhaskarvilles]

Sophon Service / 智子服务

• venus
• sophon-messager
• sophon-miner
• sophon-auth
• sophon-gateway
• sophon-co
• 文档 / docs

Version / 版本

v1.19.0
Latest

Describe the Bug / 描述

Consensus Bypass via Environment Variable Manipulation

Severity: CRITICAL (CVSS 9.1)

Root Cause Analysis

The Venus implementation allows critical consensus validation to be disabled through environment variables without proper access controls or warnings. Specifically:

Location: pkg/constants/env.go:15

var InsecurePoStValidation = os.Getenv("INSECURE_POST_VALIDATION") == "1"

Affected Components:

• pkg/consensus/block_validator.go:500 - Drand randomness validation bypass
• pkg/chain/randomness.go:285 - Randomness verification bypass
• pkg/chain/store.go:522 - Chain validation bypass

Attack Vector

An attacker with the ability to set environment variables on a Venus node (through container orchestration misconfiguration, compromised deployment scripts, or supply chain attacks) can:

1. Disable PoSt Validation: Set INSECURE_POST_VALIDATION=1 to bypass Proof-of-Spacetime validation
2. Disable Drand Verification: Set VENUS_IGNORE_DRAND=_yes_ to bypass randomness beacon verification
3. Disable Slash Filter: Set VENUS_NO_SLASHFILTER=_yes_i_know_and_i_accept_that_may_loss_my_fil to disable consensus fault detection

Impact: The node will accept invalid blocks, potentially leading to:

• Chain fork acceptance
• Invalid state transitions
• Consensus failure
• Network partition
• Financial loss through accepting invalid transactions

Scenario 2: Supply Chain Attack

An attacker injects environment variables through compromised CI/CD pipelines or Docker images, causing production nodes to run with disabled security validations.

Real-World Attack Model

Attacker Profile:

• Infrastructure access (DevOps compromise, container escape)
• Supply chain position (compromised base images, deployment tools)
• Social engineering (tricking operators to set "debug" flags)

Prerequisites:

• Ability to set environment variables on target node
• Node restart capability (or set before initial start)

Exploitation Complexity: LOW
Attack Surface: HIGH (any deployment using containers, systemd, or scripts)

Severity Justification

• Consensus Bypass: Complete circumvention of critical security validations
• Financial Impact: Potential loss of funds through invalid state acceptance
• Network Impact: Can cause network-wide consensus failures
• Ease of Exploitation: Simple environment variable manipulation
• Detection Difficulty: Silent failure, no warnings or audit logs

Long-term Solution:

1. Remove environment variable controls for consensus-critical features
2. Implement compile-time flags for development builds only
3. Add runtime environment detection with strict production mode enforcement
4. Implement audit logging for all security-sensitive configuration changes
5. Add startup validation that fails fast if dangerous flags are detected in production

Why This Fix Works:

• Fail-safe default: Panics prevent silent security degradation
• Environment awareness: Only allows in explicitly marked development environments
• Visibility: Impossible to miss the warnings
• Defense in depth: Multiple layers of protection
• Audit trail: Clear logging of security-relevant decisions

---

Logging Information / 日志

### Production-Grade Fix

**Immediate Mitigation:**


// pkg/constants/env.go
package constants

import (
    "fmt"
    "os"
    "runtime"
)

// InsecurePoStValidation should NEVER be used in production
var InsecurePoStValidation = getInsecurePoStValidation()

func getInsecurePoStValidation() bool {
    if os.Getenv("INSECURE_POST_VALIDATION") == "1" {
        // Only allow in development builds
        if runtime.GOOS == "linux" && os.Getenv("VENUS_ENVIRONMENT") != "development" {
            panic("CRITICAL SECURITY ERROR: INSECURE_POST_VALIDATION is set in non-development environment. This is a severe security violation.")
        }

        // Log prominently
        fmt.Fprintf(os.Stderr, "\n")
        fmt.Fprintf(os.Stderr, "╔════════════════════════════════════════════════════════════╗\n")
        fmt.Fprintf(os.Stderr, "║ WARNING: INSECURE_POST_VALIDATION ENABLED                  ║\n")
        fmt.Fprintf(os.Stderr, "║ This disables critical consensus validation                ║\n")
        fmt.Fprintf(os.Stderr, "║ DO NOT USE IN PRODUCTION                                   ║\n")
        fmt.Fprintf(os.Stderr, "║ Node will accept INVALID blocks and transactions           ║\n")
        fmt.Fprintf(os.Stderr, "╚════════════════════════════════════════════════════════════╝\n")
        fmt.Fprintf(os.Stderr, "\n")

        return true
    }
    return false
}

// Similar fixes for other dangerous flags
var NoSlashFilter = getNoSlashFilter()

func getNoSlashFilter() bool {
    if os.Getenv("VENUS_NO_SLASHFILTER") == "_yes_i_know_and_i_accept_that_may_loss_my_fil" {
        if os.Getenv("VENUS_ENVIRONMENT") != "development" {
            panic("CRITICAL: VENUS_NO_SLASHFILTER disabled in production environment")
        }

        fmt.Fprintf(os.Stderr, "\n⚠️  SLASH FILTER DISABLED - CONSENSUS FAULT DETECTION OFF ⚠️\n\n")
        return true
    }
    return false
}

Repo Steps / 重现步骤

Proof of Exploitability

Scenario 1: Container Orchestration Attack

An attacker compromises a Kubernetes deployment configuration:

# Malicious deployment modification
env:
  - name: INSECURE_POST_VALIDATION
    value: "1"
  - name: VENUS_IGNORE_DRAND
    value: "_yes_"