← Back to Research
Research · July 7, 2026

Eighteen advisories, ten node implementations, one attack class

Simon Morley·1 min read

Since NR-2026-001 we have published eighteen advisories across ten independent node implementations. They are not unrelated bugs. They are recurring attack classes targeting the same structural weakness: unauthenticated ingress surfaces where a cheap request forces disproportionate cost.

Egress amplification

Short request, massive response. IOTA multiGetObjects: 41,636x. Aptos accounts/modules: ~10,000x. rippled batch: 25-32x.

Memory amplification

IOTA gRPC streams: 472 MB to 7.6 GB in seconds. Cardano submit-api: 444 MB persistent from a 500 MB POST. Sui wide-filter subscriptions: persistent pins until restart.

Pre-auth CPU exhaustion

Bitcoin Core BIP-324 handshake: 55-256x latency inflation. CometBFT SecretConnection: three cores at 56k probes/sec.

Connection exhaustion and crashes

IOTA gRPC subscriber-slot exhaustion. Cosmos-SDK gRPC: no MaxConcurrentStreams limit. reth transaction decode: unbounded Vec, fixed upstream (PR #23718). Agave snapshot bootstrap panic via oversized AppendVec data_len, before the hash gate.

One taxonomy

The mechanism is chain-agnostic. The taxonomy and public corpus (NullRabbit/nr-bundles-public) catalogue by class, not chain.

All measured on instrumented infrastructure. Full details and reproducers in the individual advisories.

security-researchadvisoryvalidator-securitydosamplificationtaxonomy
Publication policy:Why we publish these findings →

Related Posts