forked from somatic-labs/meteorite
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathNew finding_ malformed txns never leave mempool (1).eml
162 lines (153 loc) · 8.25 KB
/
New finding_ malformed txns never leave mempool (1).eml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
Delivered-To: [email protected]
Received: by 2002:a05:7010:9358:b0:386:1b88:f1c4 with SMTP id s24csp1175272mdk;
Sun, 8 Oct 2023 00:02:38 -0700 (PDT)
X-Received: by 2002:a2e:9a84:0:b0:2c2:8e57:24a7 with SMTP id p4-20020a2e9a84000000b002c28e5724a7mr11382021lji.21.1696748557916;
Sun, 08 Oct 2023 00:02:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696748557; cv=none;
d=google.com; s=arc-20160816;
b=jbvzPbvUpr9jhvle9oYmFA9Hc63qX93kCkmga7WVMdDRvDV7Uf//Rv0GLCn+PpzDAF
rZ3E9IzHVjsE7PP7jCZeehIgCK5hGCvwTRRNiofULJZo4KiPh6qJyrI/tcuXwJ71NmFP
sPw2OTLCS3PqOKab5keyLIoomvznjatJRxiNy1bKP7ttVlFgSJXAjseDUf0/dYg9DRFN
qqFHUCvlZJ+f6x0qAUEj2Ceo/qb9hVX/e21ojfsZYvrzJhxq5ZArtaQOS+9BHAn21Byh
hbr2z+2KoTABOQcQh4MC1yljp+dtn3AZofuIrunyATSzUEr2VmrVvrmSKLXi8RdEYAXA
z6rQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:dkim-signature;
bh=Jp0fVrF1RgqLySggcSCxluu2XET9AoZpGz+pAB0k6v4=;
fh=xbxVu/gK9P9rUuV4tra91OWbF4K+j0AwTKh4KMOMdUE=;
b=WGcy5mjYfEBhrC0ikPQHruBdY+yqc5VbPayOn/+n/xjHRKGC6X1PEf/hmMHdUNaM6/
TMd4D0N4Rv2OPAwjWrZmgZBxUk6dYb9OOzIi7WQk+evjiv0Bnd0bswjAyShHUYAOkeuh
/1IQzwwp3DuMS9L+p/sAMDk3NJifubV9AVS/nytTES21suTGx4dOlROhhywasD3OlA1Y
iYr3CNhQbkd4oldDc5DIRq6LezgeeaPnTRBf3sf1vEXnhUGwsZqzbHnu+PvIene/E6U0
AYqjPI3QddULtLbNEynTW1SVjbO1VLY7hHZdYYYhJTQhGOIMaS1hJfIV1hqWkm/FSUsw
BX0A==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass [email protected] header.s=google header.b=PzsSjBL9;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected]
Return-Path: <[email protected]>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
by mx.google.com with SMTPS id h18-20020a05651c125200b002bffa3cee8bsor1395294ljh.4.2023.10.08.00.02.37
for <[email protected]>
(Google Transport Security);
Sun, 08 Oct 2023 00:02:37 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=google header.b=PzsSjBL9;
spf=pass (google.com: domain of [email protected] designates 209.85.220.41 as permitted sender) [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=amulet.dev; s=google; t=1696748557; x=1697353357; darn=notional.ventures;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=Jp0fVrF1RgqLySggcSCxluu2XET9AoZpGz+pAB0k6v4=;
b=PzsSjBL9p6hU7Wae+JP6KwMqIdIh+LQH1d8GP3X6SSi0KpJkywHpAQZPicaf1+RL+w
8euUt07qEJ3Igodiyn0IXfsXqzwys3XC9RDYFfmBGekJLu/zcv03yi8ysgugrfv0t3Ff
E6L2qKb3XgSXi99NzXajouSqJ2/7QYlZJ1z8NYsd28Gb0cnqEnWrn/KiOmz5wS3SnH+F
ppxIt52fEQg8OVN2zCS2sTAcuVOWdcJQXeOm5tqgiE2f7qQgZO/1359VjNPIwmUzQZwN
rmKDTVc/bKoj52VB2ThpwMx6Zcq35e61sjeuxWGz36ElFb3oYpX+EzrI7agwTKahL8uN
Qfug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1696748557; x=1697353357;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=Jp0fVrF1RgqLySggcSCxluu2XET9AoZpGz+pAB0k6v4=;
b=nYLEjpjDt5HWalnnEH0rNtEzODWRkLqjk5JbmRxxulN4WkiMFbz5j43yjYaRATy1r4
jBEcKpJDPC+RmPB6El2R0g0cnCpTaMOKYHr1/sCDbXfJ8pqjfd/LMGgrcj6qXDFQZqXC
6+51PQtReeSWOCUlByBO4xX+tmbV7O6Vswzd/nuaFzYMnWB6RvawaMR6uOZBkbXSHlD5
IfjzqOKDMQs7bD8SvwjFnmuLkA6DBKgAsaWNXk6in/jVCw8l20y8wHO9ufZUFsHyKvmJ
sPjyN/FkoP+2Eq4Mp3EHDOYinnvLlCQmAdCg4C1YOby4mYu8HbKpxrbd6axYn26ngu+V
3bgQ==
X-Gm-Message-State: AOJu0Yw1gwxKp2DRlrHunoaF0PBhHwYZPaqiZuu4jtDuVG0Ra0rqvgez
lGuW0QdIz2yZWfJB9WfphGleJxL1zryUpfzz5Dt154xjUBx78ij72Hc=
X-Google-Smtp-Source: AGHT+IFeisG7M0jahFEvyHwnFMBy/2jREztFlWFT/+h/a0+I+NCGJD8J+uZxhhd2DJCb58FLuVa/Pa0yhDPTbK3vt0o=
X-Received: by 2002:a05:6512:5ce:b0:501:c996:1996 with SMTP id
o14-20020a05651205ce00b00501c9961996mr8880016lfo.67.1696748556542; Sun, 08
Oct 2023 00:02:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAK5+0FT48fsLMDSi8uQLfTiy9N0-UOBYtUhfSFVQhyQ+i2vwag@mail.gmail.com>
In-Reply-To: <CAK5+0FT48fsLMDSi8uQLfTiy9N0-UOBYtUhfSFVQhyQ+i2vwag@mail.gmail.com>
From: Moshe Mizrahi <[email protected]>
Date: Sun, 8 Oct 2023 00:02:25 -0700
Message-ID: <CAGYWHoasmYsbvQwisqz+m4YMZEaeucyPUfqGn1uDaz7fbRUKoQ@mail.gmail.com>
Subject: Re: New finding: malformed txns never leave mempool
To: Jacob Gadikian <[email protected]>
Content-Type: multipart/alternative; boundary="000000000000fc755906072f0eae"
--000000000000fc755906072f0eae
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hey Jacob,
Thank you for the additional context. I=E2=80=99ll make sure it is included=
in the
triage.
Thanks,
Mo
On Sat, Oct 7, 2023 at 11:27=E2=80=AFPM Jacob Gadikian <[email protected]=
ures>
wrote:
>
> I realize that in the present state people aren't actually in the habit o=
f
> looking at the repository that we created, but if you see in there there'=
s
> a file called mempoolcryptocrew.json.
>
> That contains these, I think.
>
> In order to understand the attack I strongly recommend running it.
>
> Below are Joe's findings
>
> ```
>
> @Jacob Gadikian another (albeit reasonably minor) bug - note untested,
> just from reading the mempool code:
>
> Notably, the both of these values (checkTx and txPreFilter) use the raw
> value of MaxBytes, but should - for correctness - use types.MaxDataBytes(=
)
> to ensure the total block size remains within the correct bounds. Failure
> to use the correct value allows a malicious actor to fill a network's
> mempool with transactions of size `types.MaxDataBytes > x > MaxBytes` whi=
ch
> can never be delivered (as they will never be picked up by ReapMaxTxBytes=
-
> which does use the correct value),.
>
> ```
>
>
>
--000000000000fc755906072f0eae
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto">Hey Jacob,</div><div dir=3D"auto"><br></div><div dir=3D"a=
uto">Thank you for the additional context. I=E2=80=99ll make sure it is inc=
luded in the triage. =C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"au=
to">Thanks,=C2=A0</div><div dir=3D"auto">Mo</div><div><br><div class=3D"gma=
il_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sat, Oct 7, 2023 at 11:2=
7=E2=80=AFPM Jacob Gadikian <[email protected]> wrote:<br></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex"><div dir=3D"auto"><div dir=3D"auto"><br></d=
iv><div dir=3D"auto">I realize that in the present state people aren't =
actually in the habit of looking at the repository that we created, but if =
you see in there there's a file called mempoolcryptocrew.json.=C2=A0</d=
iv><div dir=3D"auto"><br></div><div dir=3D"auto">That contains these, I thi=
nk.=C2=A0</div><div dir=3D"auto"><br></div><div dir=3D"auto">In order to un=
derstand the attack I strongly recommend running it.</div><div dir=3D"auto"=
><br></div><div dir=3D"auto">Below are Joe's findings</div><div dir=3D"=
auto"><br></div><div dir=3D"auto">```</div><div dir=3D"auto"><br></div>@Jac=
ob Gadikian another (albeit reasonably minor) bug - note untested, just fro=
m reading the mempool code:<div dir=3D"auto"><br></div><div dir=3D"auto">No=
tably, the both of these values (checkTx and txPreFilter) use the raw value=
of MaxBytes, but should - for correctness - use types.MaxDataBytes() to en=
sure the total block size remains within the correct bounds. Failure to use=
the correct value allows a malicious actor to fill a network's mempool=
with transactions of size `types.MaxDataBytes > x > MaxBytes` which =
can never be delivered (as they will never be picked up by ReapMaxTxBytes -=
which does use the correct value),.</div><div dir=3D"auto"><br></div><div =
dir=3D"auto">```</div><div dir=3D"auto"><br></div><div dir=3D"auto"><br></d=
iv></div>
</blockquote></div></div>
--000000000000fc755906072f0eae--