Module github.com/multiversx/mx-chain-go appears in issue #1806 EFFECTIVELY_PRIVATE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/multiversx/mx-chain-go
versions:
- fixed: 1.4.17
vulnerable_at: 1.4.16
packages:
- package: github.com/multiversx/mx-chain-go
summary: mx-chain-go's relayed transactions always increment nonce
description: |-
### Impact When executing a relayed transaction, if the inner transaction
failed, it would have increased the inner transaction's sender account nonce.
This could have contributed to a limited DoS attack on a targeted account. The
fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed.
This was a strict processing issue while validating blocks on a chain.
### Patches v1.4.17 and later versions contain the fix for this issue
### Workarounds there were no workarounds for this issue. The affected account
could only wait for the DoS attack to finish as the attack was not free or to
attempt to send transactions in a very fast manner so as to compete on the same
nonce with the attacker.
### References For the future understanding of this issue, on v1.4.17 and
onwards versions, we have this integration test that addresses the issue and
tests the fix.
https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
cves:
- CVE-2023-34458
ghsas:
- GHSA-j494-7x2v-vvvp
references:
- advisory: https://github.com/multiversx/mx-chain-go/security/advisories/GHSA-j494-7x2v-vvvp
- fix: https://github.com/multiversx/mx-chain-go/commit/babdb144f1316ab6176bf3dbd7d4621120414d43
- web: https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/relayedMoveBalance_test.go#LL165C14-L165C14
- web: https://github.com/multiversx/mx-chain-go/releases/tag/v1.4.17
- advisory: https://github.com/advisories/GHSA-j494-7x2v-vvvp
In GitHub Security Advisory GHSA-j494-7x2v-vvvp, there is a vulnerability in the following Go packages or modules:
Cross references:
See doc/triage.md for instructions on how to triage this report.