## Critical Economic DoS Vulnerability in Snowbridge Outbound Queue Enables Low-Cost Resource Exhaustion on Polkadot
A high-severity economic denial-of-service vulnerability has been identified in the Snowbridge Outbound Queue pallet, a component of the polkadot-sdk repository. The flaw creates a critical mismatch between actual computational costs and the static weight charged to users, potentially allowing attackers to trigger heavy CPU processing for minimum fees.

The vulnerability resides in the `do_process_message` function, which performs `ethabi::encode` and hashing operations on raw message payloads of arbitrary length. While the time complexity of these operations scales linearly with message size—O(n) relative to byte length—the system charges a fixed, static weight regardless of payload size. This design gap enables resource exhaustion at costs far below the actual computational burden imposed on the network, bypassing Substrate's intended fee model.

The issue has been flagged as priority-critical by the reporter, @CaspianOri, and affects a bridge infrastructure component widely used within the Polkadot ecosystem. Attackers exploiting this vulnerability could degrade network performance, increase validator load, and potentially interfere with legitimate cross-chain message processing. The risk is particularly acute for validators and relayers handling outbound queue operations, as computational resources would be consumed disproportionately to fees collected. Remediation would require implementing dynamic weight accounting tied to actual payload size rather than relying on static estimates, ensuring fees align with real processing costs.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: economic-dos, vulnerability, polkadot-sdk, substrate, resource-exhaustion
- **Credibility**: unverified
- **Published**: 2026-05-03 07:54:07
- **ID**: 79090
- **URL**: https://whisperx.ai/en/intel/79090