emesik
commented
6 years ago This could be a mempool spam attack against the daemon itself. Don't you think it's worth reporting upstream, with some more details on how to perform it?
Open cmaves opened 6 years ago
emesik
commented
6 years ago This could be a mempool spam attack against the daemon itself. Don't you think it's worth reporting upstream, with some more details on how to perform it?
amiuhle
commented
6 years ago I agree, transactions like this shouldn't be propagated through the network.
cmaves
commented
6 years ago I made an issue on the monero repo. https://github.com/monero-project/monero/issues/3189
cmaves
commented
6 years ago I'll leave this issue open until it is either fixed on the upstream or fixed in kasisto itself
anonimal
commented
6 years ago @cmaves In the future, please respect responsible disclosure by using using Monero's Vulnerability Response Process regardless of whether this issue is a confirmed vulnerability or not. Thank you.
By making a very simple modification to the monero-wallet-rpc, one can generate a valid low priority transaction that is small enough to be relayed, but large enough to never be confirmed by the network. After looking through the code. I looked through the code and I didn't see a protection against this kind of attack.
After 24 hours this transaction will drop from the mempool and the sender will be able to use the Monero again.