Eighteen advisories, ten node implementations, one attack class
Since NR-2026-001 we have published eighteen advisories across ten independent node implementations. They are not unrelated bugs. They are recurring attack classes targeting the same structural weakness: unauthenticated ingress surfaces where a cheap request forces disproportionate cost.
Egress amplification
Short request, massive response. IOTA multiGetObjects: 41,636x. Aptos accounts/modules: ~10,000x. rippled batch: 25-32x.
Memory amplification
IOTA gRPC streams: 472 MB to 7.6 GB in seconds. Cardano submit-api: 444 MB persistent from a 500 MB POST. Sui wide-filter subscriptions: persistent pins until restart.
Pre-auth CPU exhaustion
Bitcoin Core BIP-324 handshake: 55-256x latency inflation. CometBFT SecretConnection: three cores at 56k probes/sec.
Connection exhaustion and crashes
IOTA gRPC subscriber-slot exhaustion. Cosmos-SDK gRPC: no MaxConcurrentStreams limit. reth transaction decode: unbounded Vec, fixed upstream (PR #23718). Agave snapshot bootstrap panic via oversized AppendVec data_len, before the hash gate.
One taxonomy
The mechanism is chain-agnostic. The taxonomy and public corpus (NullRabbit/nr-bundles-public) catalogue by class, not chain.
All measured on instrumented infrastructure. Full details and reproducers in the individual advisories.
Related Posts
Anyone can knock a validator over once. The skill is designing an attack you can learn from
Making a node fall over is easy and proves nothing. The craft is building a reproducer that isolates the mechanism, measures it against an honest baseline, bounds the cost, and runs on one command, so the number actually means something.
Expensive work before authentication: the RPC pattern we keep finding
The DoS class that scales against validators isn't volumetric. It's small requests that cost the node real work before it authenticates the caller. The pattern we keep finding across clients, and the fix.
We slipped a path past Cloudflare's edge. The fix is one checkbox.
Cloudflare resolves dot-segments in a URL only far enough to reject the obvious escapes, then forwards the raw, still-encoded path to your origin, which quietly resolves it the rest of the way. Your edge rules see one path; your server serves another. Cloudflare even warns you about it, in a banner most people scroll past.
