search

EOSIO / eos

An open source smart contract platform
https://developers.eos.io/manuals/eos
MIT License
11.28k stars 3.6k forks source link

an odd account gu2tembqgage,it seems has an unlimited resource to push message #4175

Closed sportsminer closed 6 years ago

sportsminer commented 6 years ago

the account gu2tembqgage seems has a unlimited resource(ram,cpu,net) to execute a contract action,because it push same action many many many times in this whole day long,and still can push such message,why?is it a bug? or it hacked the syetem!

JoshDellay commented 6 years ago

The user looks to be spamming a "ddos" action with a memo "vote producer gu2tembqgage, we love BM" trying to gain attention on the chain for votes. The user doesn't have unlimited resources, however the BP's should block his future tx as spam.

Name: | gu2tembqgage Created At: | Jun 15, 2018, 9:47:29 AM Updated At: | Jun 15, 2018, 11:16:30 AM Balance: | 0.7000 EOS RAM: | 56.801 KB / 155.176 KB CPU: | Staked: 82.7835 EOSUsed: 1784076Available: 6834184Max: 8618260 NET: | Staked: 18.7834 EOSUsed: 7074.609 KBAvailable: 0.327 KBMax: 7074.937 KB

ramtej commented 6 years ago

Yes, we have seen this "ddos" spam today the whole day. In summary, it does not matter, as the number of transactions is very limited. It's still a pain.

PeterGaivoronski commented 6 years ago

It's because when you pay for some amount of cpu, you can use the rest of the network assuming that no one else is using it right now. Here's the explanation: https://youtu.be/N6CTRdx6NVE?t=10m18s Basically what's happening is that the account's CPU quota is exhausted but because no one else is currently using the network for mass transactions, the BPs still accept the transactions. When the network becomes highly utilized, you'll only be able to use as much cpu for spam as you paid for.

PeterGaivoronski commented 6 years ago

Also BPs shouldn't filter out any transactions because they don't really know what's spam and what isn't. Transactions can literally be anything so soon you might start seeing complete nonsense (because you will have no context into what is being sent and to whom) if you just monitor the raw transaction log. You're free to create a client that filters out any unknown transaction types and just shows you the ones you're interested in (voting, delegating, transfers, etc).

cc32d9 commented 6 years ago

but you have already a voting infrastructure in place. So, let the society vote for throttling down a particular user, or banning it completely. Maybe 1 transaction per day or so would be good enough.