DoS vulnerability detected

[mous314anony]

Bug Report: Low-cost DoS of Ethereum's transaction propagation by exploiting Aleth's transaction replacement policy

• Time: May 24th, 2021

Summary

Aleth allows to replace an unconfirmed transaction in its txpool by another transaction at almost the same Gas price. By exploiting this policy, we design and validate a low-cost bandwidth DoS.

Consider a network where all nodes run aleth client. The attacker can send a series of N transactions to the network. All N transactions are of the same sender and nonce. In the sequence, a transaction has a slightly higher Gas price than a predecessor transaction (e.g., higher price by $1$ wei).

In this attack, the attacker pays essentially for one transaction but has the network to propagate N transactions. This allows the attacker to unfairly use the network resource (bandwidth and per-node CPU) and to further deny its service.

To fix the above problem, Aleth should set a similar minimum price bump for replacement transactions with Geth (Parity), such as 10% (12.5%).

Background

It is common that Ethereum clients support replacement transactions. This feature allows transactions sender to prioritize the inclusion of their transactions by bidding a higher gas price in the new transactions and to replace a previous low priced transactions sent earlier.

All of Ethereum clients, including Geth, Parity/Open-Ethereum, Besu, Aleth, Nethermind, support such feature.

However, if the client does not limit the percentage of gas price raised in the replacement transactions, an attacker can exploit this vulnerability to congest the victim client by sending a large sequence of pending transactions.

Proof of Concept

• In the current implementation of Aleth, a user can replace a previously sent pending transactions with an new transaction by bidding a slightly higher gas price. Support the gas price of previous transaction is K, then the gas price of replacement transaction is K+1.

You can verify this by running one Aleth node in a private network.

1. Send one pending transaction with gas price being 1 Gwei (10⁹).
2. Check if the pending transaction is accepted by txpool through eth.pendingTransactions.
3. Send a replacement transaction of the same sender/nonce, with gas price being 1 Gwei + 1 (10⁹+1).
4. Check if the replacement transaction is accepted by txpool through eth.pendingTransactions.

• You should be able to see that at step 4, in the txpool, the replacement transaction successfully replaced the transaction sent at step 1.

Mitigation

To mitigate such a DoS attack, we propose the following defenses.

1. A practical defense is to set the minimum percentage for the gas price of replacement transactions in the txpool, such as 10% (12.5%) adopted by other clients.

[mous314anony]

wondering if the bug report is assigned?

[chfast]

No. This project is not being maintained.