Potential DoS vector: blobs that are too big to be included in a square #3072
Comments
|
Note we already have an ante handler that rejects txs where the total blob size is too large. It's possible that ante handler doesn't catch edge cases near the total blob size because it derives an upper bound based on a number of parameters. See |
|
I think we calculate the space taken by the blobs incorrectly celestia-app/x/blob/ante/max_total_blob_size_ante.go Lines 74 to 79 in 2d261a2 it should be in regards of the amount of shares * 512 bytes i.e. for _, size := range sizes {
sum += uint64(shares.SparseSharesNeeded(size)) * appconsts.ShareSize
}Also I would consider of adding an extra share or two as buffer for padding |
yes but we want the total bytes based on the amount of shares that those blobs will occupy; not the raw bytes of the blobs |
|
🤦♂️ you're right, good catch! |
@cmwaters noticed that the ante handler rejects txs but doesn't account for the shares used by each blob size. See #3072 (comment) This means that a PFB with many small blobs would not be rejected by the ante handler even though it can't possibly fit. This PR modifies the ante handler to reject based on the # of shares occupied by each `blobSize` instead of the # of total bytes. Also adds a test case that would fail with the previous implementation but passes with this implementation. --- Note to future selves: we should add to the v2 release notes: - breaking!: the blob ante handler became more restrictive in that it rejects transactions that would have previously entered the mempool but failed to be included in a block. Transactions that previously failed with `ErrTotalBlobSizeTooLarge` should now fail with `ErrBlobTooLarge`. --------- Co-authored-by: Sanaz Taheri <35961250+staheri14@users.noreply.github.com>
|
This issue may be partially mitigated by the fix in #3082 which will be released in the next major release. |
|
TBH I still think this is open. #3082 improves the ante handler to reject PFBs that are guaranteed to not fit in a data square. But I think the DoS vector still exists and a malicious actor could craft PFBs that pass the ante handler but fail to fit in a data square. Agreed it is a bug. What do you mean by "treat it as such"? |
mainly that we just add a label lol and discuss what is needed to fix it ofc. that is weird wording tho, apologies do we need more tests than what were added in #3082? what do we need to do to be confident that this isn't occuring? I could be missing something, but we should be able to deterministically test for this, correct? |
One more idea to mitigate the DoS: modify
We could use a fuzz test that submits blobs to the ante handler and verifies that if a valid PFB tx passes the ante handler then it also must be able to be included in an empty block (i.e. a block where it is the only tx). |
does the signer in the user packager using BroadcastMode Sync count for non-blocking? In general I agree that we should get rid of broadmost mode block, and perhaps a stupic question, but how does this reduce DoS? just that it reduces the resources required per connection? If so, we do have configurable limits on the time each node will wait and how many active connections it maintains help?
adding a fuzzer is a good idea! for this specific issue, perhaps we could limit to the scope to just the size of the PFB and the problematic antehandler? |
|
to close issue, we need to add a test case for the boundary of max blob size in this test |
@cmwaters noticed that the ante handler rejects txs but doesn't account for the shares used by each blob size. See celestiaorg#3072 (comment) This means that a PFB with many small blobs would not be rejected by the ante handler even though it can't possibly fit. This PR modifies the ante handler to reject based on the # of shares occupied by each `blobSize` instead of the # of total bytes. Also adds a test case that would fail with the previous implementation but passes with this implementation. --- Note to future selves: we should add to the v2 release notes: - breaking!: the blob ante handler became more restrictive in that it rejects transactions that would have previously entered the mempool but failed to be included in a block. Transactions that previously failed with `ErrTotalBlobSizeTooLarge` should now fail with `ErrBlobTooLarge`. --------- Co-authored-by: Sanaz Taheri <35961250+staheri14@users.noreply.github.com>
@cmwaters noticed that the ante handler rejects txs but doesn't account for the shares used by each blob size. See celestiaorg/celestia-app#3072 (comment) This means that a PFB with many small blobs would not be rejected by the ante handler even though it can't possibly fit. This PR modifies the ante handler to reject based on the # of shares occupied by each `blobSize` instead of the # of total bytes. Also adds a test case that would fail with the previous implementation but passes with this implementation. --- Note to future selves: we should add to the v2 release notes: - breaking!: the blob ante handler became more restrictive in that it rejects transactions that would have previously entered the mempool but failed to be included in a block. Transactions that previously failed with `ErrTotalBlobSizeTooLarge` should now fail with `ErrBlobTooLarge`. --------- Co-authored-by: Sanaz Taheri <35961250+staheri14@users.noreply.github.com>
|
I think we can close this as completed @rootulp correct |
|
We can close this and open a new issue for
Created #4275 |
Problem
Originally reported via @tuxcanfly. See https://gist.github.com/tuxcanfly/207ab3dc1fac4bb9c38bedad2a053f18
Proposal
Is it possible for
CheckTxto reject this type of transaction prior admittance into the mempool?GovSquareSizeof 64 which would reject transactions larger than ~2MiBSquareSizeUpperBoundof 128 which would reject transactions larger than ~8MiBThe text was updated successfully, but these errors were encountered: