This weblog put up discloses a menace in opposition to the Ethereum community that was current from the Merge up till the Dencun laborious fork.
Background
Previous to the merge, completely different message measurement limits for RPC communication have been set to guard shoppers from denial-of-service (DOS) assaults. These limits, utilized to messages obtained through HTTP endpoints, have been carried over to the engine API, which performs a vital position in connecting Execution and Consensus Layer shoppers throughout block manufacturing. As a result of engine API’s involvement in block manufacturing, it turned potential for blocks to be produced that surpassed the RPC measurement limits of some shoppers however remained throughout the acceptable vary for others.
If an attacker creates a message that exceeds the dimensions restrict of the shopper with the bottom setting, whereas nonetheless adhering to the fuel restrict necessities, after which waits for a block to be produced, it may lead to a state of affairs the place some shoppers regard the block as legitimate, whereas others reject it, issuing a HTTP error code “413: Content material Too Giant.”
Affect
An attacker that might craft these messages would be capable of power nearly all of nodes (=geth) to reject blocks {that a} minority would settle for. These blocks could be forked away and the proposer would miss out on rewards.
At first we thought that it was solely potential to create these blocks by utilizing builders or a modified model of a shopper. Geth has a builtin restrict of 128KB for transactions, which signifies that a giant transaction just like the one underneath dialogue wouldn’t find yourself within the transaction swimming pools of any geth node. It was nonetheless potential to nonetheless set off the restrict by having a shopper with the next restrict suggest the block and the CL requesting validation of this proposed larger block.
We proposed an answer in quickly reducing the RPC restrict on all shoppers to the bottom worth (5MB). This may make the block invalid and an attacker could be very restricted within the chaos they will trigger within the community because the majority of the nodes would reject their blocks.
Nevertheless on February seventh we found that it was potential to create a block that may hit the 5MB restrict with a bunch of transactions which can be under the 128KB restrict and never exceed 30 million fuel.
It is a larger problem as a result of we realized an attacker may create a bunch of excessive paying transactions and ship them to the community. Since he outpays everybody else within the mempool, each node (even geth nodes) would come with the assault transactions of their block thus making a block that may not be accepted by nearly all of the community, leading to a variety of forks (all being deemed legitimate by the minority nodes) and the chain retains reorging over and over.
In a while February seventh, we got here to the conclusion that everybody elevating their RPC limits could be the safer different.
Timeline
2024-02-06 13:00: Toni (EF), Pari (EF) and Justin (Besu) attempt to submit a specificly grinded transaction to the community. The transaction contributes to as much as 2.7 MB blocks when snappy compressed.2024-02-06 13:25: Pari receives errors from his native Geth node though the transaction ought to be legitimate.2024-02-06 15:14: Justin managed to place the transaction in a block and submitted it by way of the Besu shopper.2024-02-06 20:46: Sam (EF) alerts Pari (particular due to mysticryuujin on X), Toni and Alex about sure Sepolia nodes struggeling.2024-02-06 21:05: Staff double checks with Marius from Geth and confirms the bug.2024-02-06 21:10: The gang will get collectively to debug it2024-02-07 23:40: We determined for all shoppers to restrict their RPC request restrict to 5MB2024-02-07 6:40: We found that there could be an even bigger problem and the assault might be executed with transactions lower than 128KB measurement.2024-02-07 10:00: We determined for all shoppers to extend the RPC request restrict.2024-02-07 21:00: The repair was merged in geth.2024-02-09: Geth was launched
Whereas Geth was the one shopper affected by this bug, different shoppers have additionally up to date their defaults to be protected of this assault even when fuel limits are elevated.
The shopper groups indicated that the next updates have the protected rpc limits:
Geth: v1.13.12
Nethermind: v1.25.4
Besu: 24.1.2
Erigon: v2.58.0
Reth: v0.1.0-alpha.18
