fix(net): validate peer transactions before mempool insertion#33
Open
ace-degen wants to merge 2 commits into
Open
fix(net): validate peer transactions before mempool insertion#33ace-degen wants to merge 2 commits into
ace-degen wants to merge 2 commits into
Conversation
The P2P `NewTransaction` handler inserts peer transactions into the mempool via `MemPool::put` without first calling `State::validate_transaction`, unlike the RPC submit path. This regression test pins the invariant: a forged-signature transaction spending a real UTXO is rejected by `validate_transaction` yet accepted by `MemPool::put` on its own.
The P2P `NewTransaction` handler inserted peer-supplied transactions into the mempool via `MemPool::put` without first running `State::validate_transaction`, unlike the RPC path (`Node::submit_transaction`). A transaction with an invalid signature (or failing balance/fee checks) was therefore accepted into the mempool and re-broadcast to all peers, even though it can never be included in a valid block. Any peer can use this to flood the network's mempools with invalid transactions: network-wide relay amplification and mempool bloat (worst on non-mining nodes, which never run the self-healing template builder). Not theft — invalid transactions are still rejected at block-connect. Run `validate_transaction` in the handler before `mempool.put`, matching the RPC path. Add a regression test pinning the invariant: a forged-signature transaction is rejected by `validate_transaction` while `MemPool::put` alone accepts it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The P2P
NewTransactionhandler inlib/node/net_task.rsinserted peer-suppliedtransactions into the mempool via
MemPool::putwithout first runningState::validate_transaction. The RPC submission path (Node::submit_transaction)does validate. Because of this asymmetry, a transaction received from a peer with
an invalid signature (or one that fails balance/fee checks) is accepted into the
mempool and re-broadcast to all peers, even though it can never be included in a
valid block.
Any peer can exploit this to flood the network's mempools with invalid transactions:
their mempools indefinitely (unbounded growth from free, keyless traffic).
(The block-template path is self-healing:
Node::get_transactionsre-validates anddrops invalid txs before building a template, so they never reach a block — the
impact is relay amplification and mempool bloat, not poisoned templates.)
(Severity: network-level DoS — no direct theft, since invalid transactions are still
rejected at block-connect time.)
Root cause
The handler opened a write txn and called
mempool.putdirectly.MemPool::putonly guards against double-spends within the mempool; it does not verify
signatures, address binding, input existence, or fees.
Fix
Run
State::validate_transactionin theNewTransactionhandler beforeMemPool::put, mirroring the RPC path. One line; the?converts thestate::Errorvia the existing
net_task::Error::State(#[from] Box<state::Error>)impl.Test
Adds
lib/state/mod.rs::p2p_validation_bypass_tests, a runtime regression test thatfunds a real UTXO, builds a transaction spending it but signs with the wrong key,
then asserts:
State::validate_transactionrejects it with anAuthorizationError, butMemPool::put(what the P2P handler did) accepts it and leaves theinvalid transaction resident in the mempool.
(The test lives in
lib/state/mod.rsrather thanlib/mempool.rsonly because thestate UTXO set used to fund the input is private to the
statemodule.)Note
This is one shared bug pattern across the LayerTwo-Labs Rust L2 stack (thunder-rust,
coinshift-rs, photon, plain-bitassets, plain-bitnames, truthcoin-dc); each repo
carries the same gap in its own
net_task.rsand gets the same fix.