0xarthur.sui|5月 29, 2026 16:53
Let me explain these two bugs in Sui.
Let's first explain how the first vulnerability came about.
Vulnerability 1: Gas Calculation Overflow Vulnerability
After Sui launched free stablecoin transfers, there were issues with Gas calculations, resulting in overflow vulnerabilities.
When dealing with Gas, Sui will prune the address balance to save storage and computation, which means clearing out some balance records that are no longer needed.
However, when a transaction is aborted in advance due to insufficient funds, the system still prunes that address. At this point, the balance of the address is already insufficient, and calculating gas again will result in an overflow bug, causing inconsistent execution engine states and preventing consensus nodes from generating blocks.
Vulnerability 2: Malicious strings cause DOS attacks
The first vulnerability was fixed using a hot patch, and I think the second vulnerability was completely due to the carelessness of the security audit department.
In sui index alt graph ql, the code will directly use the SDK version in the client request header as the label for Prometheus.
Although some simple cleaning has been done, there is no whitelist restriction, and malicious clients can freely construct versions using various strings. For example, our version is 1.7.2, which is a normal request, but malicious clients can freely edit any string as the version number.
Then the number of labels on Prometheus can expand infinitely until all nodes' servers go down.
The current solution is to perform a whitelist verification.
The first outage was a design flaw, so the second one was a hacker attack. It is estimated that the hacker opened an empty ticket in advance, just to bring down Sui.
Summary: I see that all of your code is submitted directly by Claude after Vibe coding. Such a large project should not rely solely on AI. Multiple AI models should be tested in batches and manually verified before submission.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink