mintlayer-core icon indicating copy to clipboard operation
mintlayer-core copied to clipboard
verified publisher icon mintlayer

User-supplied hex-encoded transactions may cause a creation of an invalid block

Open iljakuklic opened this issue 2 years ago • 0 comments

The blockprod_generate_block RPC call allows the user to include an invalid transaction, creating an invalid block. The block will then be rejected when attempting to submit it to the chain. This is nowadays mostly used in a controlled testing environment so is not a big issue. However, the call is still exposed via the external node interface which means there's a chance users will end up take advantage of this.

A simple mitigation is to make it the user responsibility

Other options are:

  • Validate the user-supplied transactions as well and report issues back to the user at block creation time.
  • Remove the hex-based transaction submission from the public API, making it only available via test RPC functions.

Related:

  • #756 (the original issue)
  • #1214 (possible alternative to user-supplied hex transactions)

iljakuklic avatar Oct 16 '23 09:10 iljakuklic