CVE-2023-42374: 
Homebrew vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-42374) was discovered in mystenlabs Sui Blockchain before version 1.6.3. The vulnerability, known as the "Memory Bomb" vulnerability, allows remote attackers to execute arbitrary code and cause denial of service by sending a crafted compressed script to the Sui node component. The vulnerability was discovered and reported by Beosin security researchers and was patched in Sui mainnet_v1.6.3 released on August 1, 2023 (Beosin Report).

The vulnerability exploits the p2p protocol's message compression mechanism in Sui nodes. The nodes use the snappy algorithm for compressing RPC messages, with a hardcoded maximum message size of 2GB. When processing RPC messages, nodes first decompress the entire data into memory before deserialization. An attacker could create a 1.97GB snappy compressed file that decompresses to 42GB, requiring at least 43.97GB of memory to process. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability could cause individual Sui nodes (both validators and fullnodes) to crash through memory exhaustion. The attack was particularly severe as it could be executed without spending any gas fees, simply by starting multiple threads sending payloads to target nodes. The attack could effectively disrupt network operations by taking down critical infrastructure nodes (Beosin Report).

The vulnerability was patched in Sui mainnet_v1.6.3 released on August 1, 2023. The fix implemented streaming decompression and limited the maximum decompressed size to 1GB. Additionally, the RPC message size limit was reduced from 2GB to 1GB. These changes prevent memory exhaustion attacks while maintaining normal functionality (Sui Patch).