fix(net): validate peer transactions before mempool insertion#73
Open
ace-degen wants to merge 1 commit into
Open
fix(net): validate peer transactions before mempool insertion#73ace-degen wants to merge 1 commit into
ace-degen wants to merge 1 commit into
Conversation
The P2P `NewTransaction` handler inserted peer-supplied transactions into the mempool via `MemPool::put` without first running `State::validate_transaction`, unlike the RPC path (`Node::submit_transaction`). A transaction with an invalid signature (or failing balance/fee checks) was therefore accepted into the mempool and re-broadcast to all peers, even though it can never be included in a valid block. Any peer can use this to flood the network's mempools with invalid transactions: network-wide relay amplification and mempool bloat (worst on non-mining nodes, which never run the self-healing template builder). Not theft — invalid transactions are still rejected at block-connect. Run `validate_transaction` in the handler before `mempool.put`, matching the RPC path. Add a regression test pinning the invariant: a forged-signature transaction is rejected by `validate_transaction` while `MemPool::put` alone accepts it.
Collaborator
|
Thanks for the contribution! There are a few CI failures to address — mostly formatting and similar minor issues. Once those are fixed, I'll go ahead and merge. |
Collaborator
|
Thanks for your contribution! There are still a few linting errors to resolve — once those are fixed, I'll get this merged. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The P2P
NewTransactionhandler inlib/node/net_task.rsinserted peer-suppliedtransactions into the mempool via
MemPool::putwithout first runningState::validate_transaction. The RPC submission path (Node::submit_transaction)does validate. Because of this asymmetry, a transaction received from a peer with
an invalid signature (or one that fails balance/fee checks) is accepted into the
mempool and re-broadcast to all peers, even though it can never be included in a
valid block.
Any peer can exploit this to flood the network's mempools with invalid transactions:
their mempools indefinitely (unbounded growth from free, keyless traffic).
(The block-template path is self-healing:
Node::get_transactionsre-validates anddrops invalid txs before building a template, so they never reach a block — the
impact is relay amplification and mempool bloat, not poisoned templates.)
(Severity: network-level DoS — no direct theft, since invalid transactions are still
rejected at block-connect time.)
Root cause
The handler called only
regenerate_proof(which generates a Utreexo proof, not avalidation step) followed by
mempool.put(which only guards against double-spendswithin the mempool). Neither verifies signatures, address binding, input existence,
or fees.
Fix
Run
State::validate_transactionin theNewTransactionhandler beforeMemPool::put, mirroring the RPC path. One line, inside the existing handlerclosure; the
?converts thestate::Errorvia the conversion already used by theadjacent
regenerate_proofcall.Test
Adds
lib/mempool.rs::p2p_validation_bypass_tests, a runtime regression test thatfunds a real UTXO, builds a transaction spending it but signs with the wrong key,
then asserts:
State::validate_transactionrejects it with anAuthorizationerror, butregenerate_proof+MemPool::putsequence (what the P2P handler did)accepts it and leaves the invalid transaction resident in the mempool.
Note
This is one shared bug pattern across the LayerTwo-Labs Rust L2 stack (thunder-rust,
coinshift-rs, photon, plain-bitassets, plain-bitnames, truthcoin-dc); each repo
carries the same gap in its own
net_task.rsand gets the same fix.