GHSA-j494-7x2v-vvvp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j494-7x2v-vvvp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-j494-7x2v-vvvp/GHSA-j494-7x2v-vvvp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j494-7x2v-vvvp
- Aliases
- Related
- Published
- 2023-07-13T17:02:12Z
- Modified
- 2024-08-20T20:58:44.223725Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H CVSS Calculator
- Summary
- mx-chain-go's relayed transactions always increment nonce
- Details
-
Impact
When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag
RelayedNonceFixEnableEpochwas needed. This was a strict processing issue while validating blocks on a chain.Patches
v1.4.17 and later versions contain the fix for this issue
Workarounds
there were no workarounds for this issue. The affected account could only wait for the DoS attack to finish as the attack was not free or to attempt to send transactions in a very fast manner so as to compete on the same nonce with the attacker.
References
For the future understanding of this issue, on v1.4.17 and onwards versions, we have this integration test that addresses the issue and tests the fix. https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
- Database specific
{ "nvd_published_at": "2023-07-13T19:15:09Z", "cwe_ids": [ "CWE-400" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-07-13T17:02:12Z" }- References
-
- https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp
- https://nvd.nist.gov/vuln/detail/CVE-2023-34458
- https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43
- https://github.com/multiversx/mx-chain-go
- https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
- https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17
Affected packages
Go / github.com/multiversx/mx-chain-go
Package
- Name
- github.com/multiversx/mx-chain-go
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/multiversx/mx-chain-go