Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AVM-1 No Gas Gharges for Failed Transactions #409

Open
SA124 opened this issue Aug 21, 2024 · 3 comments
Open

AVM-1 No Gas Gharges for Failed Transactions #409

SA124 opened this issue Aug 21, 2024 · 3 comments
Assignees
@mzabaluev
Labels
Source: Audit Issues discovered by audit. suzuka:safety
Milestone
Suzuka Genesis

Comments

@SA124
Copy link

SA124 commented Aug 21, 2024
edited
Loading

AVM-1 No Gas Gharges for Failed Transactions

Auditor: Movebit
Code: Aptos Core
Severity: Critical
Discovery Methods: Manual Review
Status: Pending
Code Location:
aptos-move/aptos-vm/src/aptos_vm.rs#1654
Descriptions:
Pre-processing checks are performed on transactions as they enter the mempool:
Screenshot 2024-08-21 at 10 47 18 AM

But the SEQUENCE_NUMBER_TOO_NEW error for transactions with sequence_number
greater than the current account.sequence_number is covered in the function. This is as
expected (because future transactions are also going into the pool pending.) But the too_new
error for transactions with sequence_number greater than the current
account.sequence_number is covered in the function. This is as expected (since future
transactions are also going into the transaction pool pending:

Screenshot 2024-08-21 at 10 47 51 AM
At this point the transaction goes to the mempool and is written to the DA. After that it will
read the transaction from DA and execute it when the code is as follows:

Screenshot 2024-08-21 at 10 48 21 AM
At this point, the transaction is still checked for the same things that are checked during
preprocessing.

Screenshot 2024-08-21 at 10 48 50 AM

In this case, the sequence_number is higher than the current sequence_number, resulting in
an error. However, the handling fee is deducted after this check is performed, so no handling
fee is deducted for the transaction. This issue can lead to DA of transactions, mempool
being dosed at 0 cost.
Suggestion:
It is suggested to refer to the design idea of aptos to do the pending processing for the
transaction whose sequence_number is larger than the current sequence_number.
@poetyellow poetyellow mentioned this issue Aug 23, 2024
Open
@mzabaluev mzabaluev added the Source: Audit Issues discovered by audit. label Aug 26, 2024
@l-monninger l-monninger mentioned this issue Aug 30, 2024
Open
@mzabaluev mzabaluev mentioned this issue Sep 12, 2024
Closed
@l-monninger l-monninger added this to the Centralized Mainnet milestone Sep 12, 2024
@msjyryxdzzj
Copy link

We looked at the logic of the code fix in #542, and it was fixed for the same sequence_number too new, but it could still be attacked in the same way as the previous attack for a different sequence_number too new transaction.

@l-monninger
Copy link
Collaborator

@msjyryxdzzj What is your proposed attack? You cannot duplicate sequence numbers will not leave the mempool to the same node under #542?

This also became PR #722 (as it was ultimately signed). See the tests added therein for whether the issue is addressed.

@msjyryxdzzj
Copy link

Attacker sends a transaction with seq_number greater than the current seq_number
For example, if the current seq_number is 10, the attacker sends a transaction with a seq_number of 11,12,13,14... different seq_numbers to bypass the repair check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mzabaluev mzabaluev

Labels
Source: Audit Issues discovered by audit. suzuka:safety
Projects
None yet
Milestone
Suzuka Genesis
Development

No branches or pull requests
4 participants
@mzabaluev @msjyryxdzzj @SA124 @l-monninger