7.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H
0.001 Low
EPSS
Percentile
26.7%
When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction’s sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag RelayedNonceFixEnableEpoch
was needed. This was a strict processing issue while validating blocks on a chain.
v1.4.17 and later versions contain the fix for this issue
there were no workarounds for this issue. The affected account could only wait for the DoS attack to finish as the attack was not free or to attempt to send transactions in a very fast manner so as to compete on the same nonce with the attacker.
For the future understanding of this issue, on v1.4.17 and onwards versions, we have this integration test that addresses the issue and tests the fix.
https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
CPE | Name | Operator | Version |
---|---|---|---|
github.com/multiversx/mx-chain-go | lt | 1.4.17 |
github.com/multiversx/mx-chain-go
github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43
github.com/multiversx/mx-chain-go/releases/tag/v1.4.17
github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp
nvd.nist.gov/vuln/detail/CVE-2023-34458