This repository has been archived by the owner on Jan 13, 2025. It is now read-only.
Possible resource exhausition attack for account storage with reasonable funds #11342
Labels
security
Pull requests that address a security vulnerability
Comments
|
Hmm, I tested quickly tested this locally. It seems that we can't just do only this system-owned accounts. But this still doable. So, we must do this with custom-deployed simple program with the crafted large accounts owned by the program. |
This was referenced Aug 18, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Problem
Currently, the cluster doesn't further collect rents for the duration of current epoch if previous rent has been already collected for the epoch.
A determined attacker can exploit this behavior of rather lenient rent check and can mount a temporal resource exhaustion attack within an epoch with reasonable fund like this:
MAX_PERMITTED_DATA_LENGTH-sized account with the balance ofrent_exempt_for(MAX_PERMITTED_DATA_LENGTH)with 5,000 transaction fee.Each iteration effectively costs 10001 lamports and only takes minimum of 2 slots while that would forces the cluster to hold 10M bytes for duration of an epoch.
Also, this can easily parallelized.
So, attacker can consume 500TB with 500 concurrent processing with about 550 sols and ~24 hours, causing the trouble for the remainder of the epoch (~1 day):
Worse yet, if this attack is done persistently, the resource exhaustion attack can continue until the attack ends + 1 epoch. Upper bound to 1PB resource exhaustion with 1100 sols per epoch for sustained cost with the proceeding assumption.
Alternatively, this could be bound to the IO bandwidth to the
mmap()-ed account storage...Anyway, this is well above the worst-case resource assumption across our current validators.
Proposed Solution
Adjust to increase rent check timing?
Context
Found via thinking for the fix of #10468
The text was updated successfully, but these errors were encountered: