42762 [BC-High] new accounts break the pipe mempool invariant that prevents duplicate transactions from filling the mempool

#42762 [BC-High] New accounts break the pipe mempool invariant that prevents duplicate transactions from filling the mempool

Submitted on Mar 26th 2025 at 02:00:54 UTC by @Capybara for Attackathon | Movement Labs

• Report ID: #42762

• Report Type: Blockchain/DLT

• Report severity: High

• Target: https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/execution/maptos/opt-executor

• Impacts:

  • Temporary freezing of network transactions by delaying one block by 500% or more of the average block time of the preceding 24 hours beyond standard difficulty adjustments

Description

Details

Invariants in the DA reject adding to the mempool two transactions from the same User using the same Sequence Number.

 ┌──┐                              ┌──┐
 │Tx│                              │DA│
 └┬─┘                              └┬─┘
  │                                 │  
  │User "Alice", Sequence number "1"│  
  │────────────────────────────────>│  
  │                                 │  
  │            Accepted!            │  
  │<────────────────────────────────│  
  │                                 │  
  │User "Alice", Sequence number "1"│  
  │────────────────────────────────>│  
  │                                 │  
  │            Rejected!            │  
  │<────────────────────────────────│  
  │                                 │  
  │User "Alice", Sequence number "2"│  
  │────────────────────────────────>│  
  │                                 │  
  │            Accepted!            │  
  │<────────────────────────────────│  
 ┌┴─┐                              ┌┴─┐
 │Tx│                              │DA│
 └──┘                              └──┘

There's a test in the Opt Executor named test_pipe_mempool_with_duplicate_transaction ensuring code updates don't break this invariant:

Link to code: https://github.com/immunefi-team/attackathon-movement/blob/a2790c6ac17b7cf02a69aea172c2b38d2be8ce00/protocol-units/execution/maptos/opt-executor/src/background/transaction_pipe.rs#L421-L461

The bug

All new accounts that have never submitted a transaction to the network start with a sequencer number of 0, and for such accounts 0 is a valid sequence number when submitting a transaction (it will be executed successfully).

Unfortunately, valid transactions with a sequence number of 0 can bypass the logic that prevents the same transaction from being inserted in a block multiple times.

Impact Details

Blockchain blocks have limited space. Filling a block with valid but non-executable transactions, like in this case (duplicating a tx using a sequence number of 0), delays real user transactions from getting processed.

Additionally, each proposed batch is added to Celestia, which costs.

Proof of Concept

Proof of Concept

I have 2 different proof of concept for this report.

The first one is as simple as updating the current test Movement Labs created for duplicate transactions by submitting the tx with a sequence number of 0.

The result is that the same assert check that used to pass in the original test will fail.

Add it to: https://github.com/immunefi-team/attackathon-movement/blob/main/protocol-units/execution/maptos/opt-executor/src/background/transaction_pipe.rs#L419

The second proof of concept is an e2e test that can be included in the file https://github.com/immunefi-team/attackathon-movement/blob/main/protocol-units/da/movement/protocol/tests/src/test/e2e/raw/sequencer.rs