RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer
Description
Brief/Intro
I found a way to prevent all the JSON-RPC users from interacting with particular contracts/protocols.
Vulnerability Details
Every JSON-RPC method call passes through the rateLimitMiddleware which, in turn, passes them through utils.ts:isRequestOkay checking method.
If the method called is 'eth_sendRawTransaction', the transaction object restores from the raw tx hash and, among the other checks, the to address requests history is checked:
https://github.com/shardeum/json-rpc-server/blob/aba70af9ae65b59034c87ced1253a7478a2a0293/src/utils.ts#L1114-L1142
As you can see, if there are more than 10 transactions to the to address within the last minute, the isRequestOkay function returns false, so the incoming transaction is rejected.
This check allows an attacker to block all the JSON-RPC users from interacting with particular contracts/protocols by just periodically sending any (even incorrect) transactions to these contracts.
Impact Details
I believe it pretty falls under the RPC API crash affecting projects with greater than or equal to 25% of the market capitalization on top of the respective layer impact.
Despite there's no exact JSON-RPC crash, it stops processing transactions to particular protocols/contracts from any user, that can affect lots of top-tier protocols (and even the whole Shardeum blockchain if any service contracts exist).
The attack can totally block all the JSON-RPC users from:
interacting with any top tokens (that could lead to losing funds because of price fluctuations);
updating oracle contracts data (that could lead to incorrect working of multiple protocols relying to oracles);
interacting with Shardeum service contracts (that could disrupt the entire blockchain functionality).
Proof of Concept
For instance, the attacker wants to block the JSON-RPC users from interacting with contract 0xcB059C5573646047D6d88dDdb87B745C18161d3b.
All he needs is to take 2 different transactions to this contract from the Shardeum explorer. They could be old, or they could be newer than the current block number (from a different chain), and from any user – it doesn’t matter. For instance:
Network is currently busy. Please try again later.
Thus, nobody can interact with this contract for the next minute. The attacker can repeat their malicious request once every minute, permanently blocking this contract from being interacted with by any user.