search
Active Boosts

#43222 [BC-High] A transaction with sequence number 0 can be submitted multiple times

Submitted on Apr 3rd 2025 at 19:48:29 UTC by @KlosMitSoss for Attackathon | Movement Labsarrow-up-right

  • Report ID: #43222

  • Report Type: Blockchain/DLT

  • Report severity: High

  • Target: https://github.com/immunefi-team/attackathon-movement/tree/main/protocol-units/execution/maptos/opt-executor

  • Impacts:

    • Causing network processing nodes to process transactions from the mempool beyond set parameters

hashtag
Description

hashtag
Brief/Intro

When checking if a transaction's sequence number has been used before using the has_invalid_sequence_number() function, the case when the sequence number is 0 is not properly handled. As a result, a transaction with sequence number 0 can be submitted multiple times.

hashtag
Vulnerability Details

When the previously used sequence number for the transaction sender is retrieved from the used_sequence_number_pool, it defaults to 0 if no sequence number is found.

	fn has_invalid_sequence_number(
		&self,
		transaction: &SignedTransaction,
	) -> Result<SequenceNumberValidity, Error> {
		// check against the used sequence number pool
		let used_sequence_number = self
			.used_sequence_number_pool
			.get_sequence_number(&transaction.sender())
>>			.unwrap_or(0);
        ... ...
	}

https://github.com/immunefi-team/attackathon-movement/blob/a2790c6ac17b7cf02a69aea172c2b38d2be8ce00/protocol-units/execution/maptos/opt-executor/src/background/transaction_pipe.rs#L164-L218

Later in the function, if the last used sequence number was 0 (or none was found), the minimum allowed sequence number also becomes 0.

This means that transactions with sequence number 0 can be submitted multiple times to the mempool, bypassing the normal sequence number check.

To mitigate this, a distinction should be made between the absence of a used sequence number and the used sequence number being 0. If no used sequence number exists, 0 should be allowed. However, if 0 is the last used sequence number, it should not be allowed (only 1,2 and so on should be allowed).

hashtag
Impact Details

A transaction with the sequence number being 0 could be submitted multiple times.

While technically the impact matches "Causing network processing nodes to process transactions from the mempool beyond set parameters" which is a "High" impact, we belive the issue should be "Low".

hashtag
References

Code references are provided throughout the report.

hashtag
Proof of Concept

hashtag
Proof of Concept

  1. The used_sequence_number_pool is currently empty and a transaction with sequence number 0 is submitted.

  2. The transaction with sequence number 0 can be submitted again.

Previous#43221 [BC-Insight] Expired transactions prevent new submissions due to delayed garbage collectionNext#43229 [BC-High] There is a bug can allows malicious data to enter the DA layer and be signed by a legitimate node

Was this helpful?