Skip to content
This repository has been archived by the owner on Nov 30, 2021. It is now read-only.

Weak noncecheck lead to replay of transactions #686

Closed
summerpro opened this issue Jan 6, 2021 · 2 comments
Closed

Weak noncecheck lead to replay of transactions #686

summerpro opened this issue Jan 6, 2021 · 2 comments

Comments

@summerpro
Copy link
Contributor

summerpro commented Jan 6, 2021
edited
Loading

Vulnerability Overview:

Since there is no explicit +1 limit on the nonce check used by ethermint, this results in transactions passing the antehandler checksum as long as they are greater than the node’s cached nonce. If the victim sends a very large nonce transaction, the attacker can replay the transaction.

Details and Root Cause:

First, we found some ground truths:

As long as the MsgEthereumTx is larger than the current node’s cache nonce, it will pass both noncecheck.
Signaturecheck uses the nonce field of the transaction itself, so transactions larger than the current cached nonce can still pass signaturecheck.
Thus, if a msg have a large nonce,then it can be replaied.

Steps to Exploit:

Suppose the victim sends a nonce that is much larger than the current node’s cache.
An attacker can replay this transaction.
This was referenced Jan 6, 2021
Closed
Merged
@fedekunze
Copy link
Contributor

closed via #692

@zhongqiuwood zhongqiuwood mentioned this issue Jan 13, 2021
Closed
@summerpro
Copy link
Contributor Author

Credit to: OKLink & Chaitin Tech

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@summerpro @fedekunze