-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malformed BASIC_TRANSFER transactions not rejected #645
Comments
Suggested change to basic_transer.go
|
Very interesting. We're taking a look at this now. |
Pull request with validation: @diamondhands0 |
@StarGeezerPhil this should be fixed now. It looks like the mempool was failing to reject txns with an invalid signature (the amount being zero was actually a red herring). Can you try submitting the txns again to node.deso.org and lmk your results? |
It appears that malformed BASIC_TRANSFER transactions that do not include AmountNanos are not rejected by backend and can be signed and submitted into the mempool.
However, these transactions do not appear to be then accepted and mined into the chain.
@lazynina @diamondhands0 my concern is that this leaves us open to a vulnerability where the mempool could become hijacked in a DOS-type attack/clog the mempool entirely - that could overwhelm nodes and validators.
Here are the details - transactions created by user DiamondThumb:
This is his example payload provided:
Example transactions crash the blockchain explorer:
https://explorer.deso.com/txn/3JuEUQSXue97tHWVrRidZC1GUU1Qdau78YskxHGukxByz1g6xxNCCo
https://explorer.deso.com/txn/3JuETYrJjmN8LV1tvCfcZdsvMpNzB8pjzhQzAJ2BsojgcQJic4QkFu
https://explorer.deso.com/txn/3JuETB3wvCm1UQ8bFNU7uRmoWZ9hE621e4waJDYzNDeYs5a9kfb41x
https://explorer.deso.com/txn/3JuETt6hMbiYtrkAFUb1pVqWhwLj1xroXdmWbYmZzpY1SN7WKsFZua
Here is the verbose transaction details for the first example from my front-end:
DiamondThumb's thread regarding his issue here: https://desocialworld.com/posts/20891c713fe091a02b4bd556b4f2cfeef4a758ec6fdf5a7f3522317d6557ee9e
The text was updated successfully, but these errors were encountered: