Skip to content

AnteHandler spam prevention #2019

New issue
New issue
Closed
#2800
Closed
AnteHandler spam prevention#2019
#2800

Description

@jaekwon

jaekwon
openedon Aug 14, 2018

Problem Definition

AnteHandler currently potentially requires multiple account lookups and multiple signature verifications (especially with the upcoming threshold signature addition to tendermint/crypto)

This issue is a proposal for limiting the spam potential by enabling feature of "oversigning"

Proposal

A "oversigned" StdTx is one where the fee payer signs over all the remaining signatures for the remaining Msgs, thus allowing CheckTx to only have to check 1 account and 1 non-multi pubkey before rejecting the transaction. If there is any problem with the rest of the msgs/signatures, then the fee payer pays still pays the fee, so the DoS problem is mitigated.

The purpose of this change is to prevent CheckTx from having to load multiple accounts or check multiple signatures (e.g. in a composite multisig) before rejecting a transaction, to prevent spam issues.

Structures

StdTx := {Oversigned bool, Msgs*, Fee, *Signatures, Memo}
StdSignDoc := {AccountNum, ChainID, Fee, Memo, *Msgs, Sequence}
OversignedStdSignDoc := {AccountNum, ChainID, Fee, Memo, *Msgs, Sequence, *Signature}
FeePayMsg := {AccAddress}

  • Changes:
    -> StdTx starts with new Oversigned bool field
    -> OversignedSignDoc embeds StdSignDoc but also includes *Signatures
    -> Add PubKey.IsComposite() in tendermint/crypto

  • Goals
    -> Any non-oversigned StdTx can be oversigned by any third-party account.
    -> Be as restrictive as possible so that it can be upgraded in a backwards compatible way as we make AnteHandler more intelligent.

  • We want to oversign, if:
    -> If len(StdTx.Signatures) > 1, or:
    -> If the signing account (only 1 due to above exception) is a composite pubkey

  • If we want to oversign:
    -> Set Oversigned=True in StdTx, otherwise is False (not amino binary encoded if false so efficient for non-oversigned txs)
    -> An oversigned StdTx is invalid if there is only 1 Msg or 1 Signature.

  • FeePayMsg:
    -> If the fee payer is not otherwise involved in the msgs, then the first msg should be a FeePayMsg which just denotes the account address of the fee payer.
    -> The FeePayMsg should not be present in any msg except the first.
    -> The FeePayMsg should be removed from the head of Msgs before creating OversignedStdSignDoc, thus allowing the fee payer to be determined after everyone else has already signed.
    -> In an oversigned StdTx, even if the fee payer is in with StdTx.Msgs[1:].Map(GetSigners), its signature is still required (e.g. it would have two different signatures in StdTx.Signatures... the first, and somewhere else). This is to prevent the fee payer (e.g. as a service) from accidentally committing to a transaction that it otherwise didn't intend to sign. (We can upgrade to optimize in the future)
    -> A StdTx with only 1 FeePayMsg is still valid, in this case the only effect is that a fee is paid for a memo.

For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate contributors tagged
  • Contributor assigned/self-assigned
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

S:proposedT: Security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions