Active Boosts

#38015 [BC-Insight] Violation of EIP-2681 in Create Transaction

Submitted on Dec 21st 2024 at 20:30:28 UTC by @CertiK for Attackathon | Ethereum Protocol

  • Report ID: #38015

  • Report Type: Blockchain/DLT

  • Report severity: Insight

  • Target: https://github.com/NethermindEth/nethermind

  • Impacts:

    • (Specifications) A bug in specifications with no direct impact on client implementations

Description

Brief/Intro

EIP-2681 (https://eips.ethereum.org/EIPS/eip-2681) requires every Ethereum execution client to restrict the nonce of an account to 2^64 - 1. Specifically, a transaction with nonce 2^64 - 1 should fail, including create transaction and call transaction. In the current implementation of Nethermind, the threshold of nonce in the creation transaction is 2^64 - 2 which is 1 less than the threshold ( 2^64 - 1 ) specified in EIP-2681. This could be problematic once an account reaches this threshold, and potentially leading to consensus issues.

Vulnerability Details

Affected Codebase: https://github.com/NethermindEth/nethermind/tree/1.30.1

The stateless validation of a tx is performed in the function ValidateStatic(), which contain the nonce check to ensure it does not exceed the threshold 2^64-1 specified in the EIP-2681 (https://eips.ethereum.org/EIPS/eip-2681)

https://github.com/NethermindEth/nethermind/blob/1.30.1/src/Nethermind/Nethermind.Evm/TransactionProcessing/TransactionProcessor.cs#L348

However, the nonce validation checks that the nonce for a create transaction does not exceed 2^64 - 2 while the nonce for a call transaction does not exceed 2^64 - 1. According to the EIP-2681 (https://eips.ethereum.org/EIPS/eip-2681), both nonce checks should be performed against 2 ^ 64 -1.

Since other Ethereum clients implementation aligns with the EIP-2681, the Nethermind client will fail out of consensus once an account reaches 2^64 - 2 and it invokes a create transaction. In this case, this transaction fails in the Nethermind client but succeeds in other Ethereum clients.

Impact Details

Due to the violation of EIP-2681 (https://eips.ethereum.org/EIPS/eip-2681), it would lead to consensus issues once the nonce of 2^64 -2 is reached in an account and it invokes a create transaction.

References

  • https://github.com/NethermindEth/nethermind/tree/1.30.1

  • EIP-2681 (https://eips.ethereum.org/EIPS/eip-2681)

Proof of Concept

Proof of Concept

  1. For simplicity, we add the following test case in the test file:

nethermind/src/Nethermind/Nethermind.Evm.Test/TransactionProcessorTests.cs

where the nonce is set to ulong.MaxValue - 1 ( 2^64 - 1 ) for a create transaction, and it asserts the transaction will fail.

  1. Run the test case

  1. The test result shows the create transaction fails

Previous#37186 [BC-Insight] Missing Validation for Fixed-Size bytes Types in ABI ParsingNext#38948 [BC-Low] lighthouse remote DoS

Was this helpful?