GHSA-j494-7x2v-vvvp

Suggest an improvement
Source
https://github.com/advisories/GHSA-j494-7x2v-vvvp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-j494-7x2v-vvvp/GHSA-j494-7x2v-vvvp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j494-7x2v-vvvp
Aliases
Published
2023-07-13T17:02:12Z
Modified
2023-11-08T04:12:47.246466Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H CVSS Calculator
Summary
mx-chain-go's relayed transactions always increment nonce
Details

Impact

When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag RelayedNonceFixEnableEpoch was needed. This was a strict processing issue while validating blocks on a chain.

Patches

v1.4.17 and later versions contain the fix for this issue

Workarounds

there were no workarounds for this issue. The affected account could only wait for the DoS attack to finish as the attack was not free or to attempt to send transactions in a very fast manner so as to compete on the same nonce with the attacker.

References

For the future understanding of this issue, on v1.4.17 and onwards versions, we have this integration test that addresses the issue and tests the fix. https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14

References

Affected packages

Go / github.com/multiversx/mx-chain-go

Package

Name
github.com/multiversx/mx-chain-go
View open source insights on deps.dev
Purl
pkg:golang/github.com/multiversx/mx-chain-go

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.17