Exhausting known Ethereum addresses and thus preventing ETH-SONs usage #529

New issue

Open

opened 2023-04-20 11:00:55 +00:00 by bobinson · 4 comments

bobinson commented 2023-04-20 11:00:55 +00:00 (Migrated from gitlab.com)

Copy link

Step 1:

Assume that the following is done by one individual (Alice).

• setup Eth SONs in the local testnet

• In the local Etherenum network, there must be total of 2 known addresses (assume that this is all the addresses available in the universe and each must have balances, the accounts can be 0x1.. 0x2..)

• The accounts 0x1.. and 0x2.. belongs to Alice

• A Peerplays account alice is created but it will not have any sidechain accounts at this point

Step 2:

Assume that this done by an attacker (Bob).

• The attacker creates Peerplays accounts 'bob1' & bob2
• He then adds 0x1.. as deposit and withdraw address to 'bob1'
• Adds 0x2.. as deposit and withdraw addresses to bob2
• Similarly if Alice or anyone creates any new addresses Bob will first learnt the same and repeat the process and all the Ethereum addresses will be added as sidechain addresses to various Peerplays accounts controlled by Bob

Step 3:

• Alice tries to add 0x1 or 0x2 as sidechain address to peerplays account alice
• Alice will not able add deposit address as its occupied by Attacker.

-------—

On the mainnet of both Peerplays and Ethreum, this can be extended as:

Bob fetches all known Ethereum addresses and adds them as deposit addresses for new Peerplays accounts. Then Bob continuously monitors Ethereum network for any new trascation initiated to a new address and instantaneously provisions a new Peerplays addresses and adds the newly identified Ethereum address as a deposit address. The process continues and acts as a denial of service against ETH-SONs.

Step 1: Assume that the following is done by one individual (Alice). - setup Eth SONs in the local testnet - In the local Etherenum network, there must be total of 2 known addresses (assume that this is all the addresses available in the universe and each must have balances, the accounts can be 0x1.. 0x2..) - The accounts 0x1.. and 0x2.. belongs to Alice - A Peerplays account `alice` is created but it will not have any sidechain accounts at this point - Step 2: Assume that this done by an attacker (Bob). - The attacker creates Peerplays accounts 'bob1' & bob2 - He then adds 0x1.. as deposit and withdraw address to 'bob1' - Adds 0x2.. as deposit and withdraw addresses to `bob2` - Similarly if Alice or anyone creates any new addresses Bob will first learnt the same and repeat the process and all the Ethereum addresses will be added as sidechain addresses to various Peerplays accounts controlled by Bob Step 3: - Alice tries to add 0x1 or 0x2 as sidechain address to peerplays account `alice` - Alice will not able add deposit address as its occupied by Attacker. -------— On the mainnet of both Peerplays and Ethreum, this can be extended as: Bob fetches all known Ethereum addresses and adds them as deposit addresses for new Peerplays accounts. Then Bob continuously monitors Ethereum network for any new trascation initiated to a new address and instantaneously provisions a new Peerplays addresses and adds the newly identified Ethereum address as a deposit address. The process continues and acts as a denial of service against ETH-SONs.

bobinson commented 2023-04-20 11:05:35 +00:00 (Migrated from gitlab.com)

Copy link

changed the description

changed the description

bobinson commented 2023-04-20 11:06:14 +00:00 (Migrated from gitlab.com)

Copy link

changed the description

changed the description

prandnum commented 2023-04-20 20:18:31 +00:00 (Migrated from gitlab.com)

Copy link

changed the description

changed the description

prandnum commented 2023-04-20 20:18:34 +00:00 (Migrated from gitlab.com)

Copy link

changed the description

changed the description

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

feature/579-enable-hardfork-check

develop

beatrice

feature/577-sidechain-plugin

hotfix/bookie2024

feature/568-static-libbitcoin

567-update-dockerfile

docs/readme-build-subdirectory

local_dev_subscribe_address

feature/release-automation-changelogs

feature/remove-image-e2e-tests

feature/installer-script

local_dev_manual_zmq_socet

local_test_block_events

develop-clang17-wip

feature/python-e2e-tests

bug/501-on_connection_closed

bug/513-num_son_init

bug/513-num_son_extension

docker-build-fix

libbitcoin-build-dependencies-cicd

feature/cicd-deployments-and-upgrades

feature/limit-NFT-objs-returned

sonarcloud-coverage

bug/api-doc-generation-hotfix

test/hot-fix-hardfork-changed

mint-testnet-sidechain-address-fix

hotfix/sidechain-address

feature/limits-for-nft_get_all_tokens

debug-transaction-signing

feature/libbitcoin-son

revert-1a160275

revert-f7aab6a8

peerup-clang14-new

feature/son-for-ethereum

peerup-clang14

feature/420-ethereum-unit-tests

bug/issue416_corrected

bug/issue-416

cicd-test

test/enable_disconnect_non_compatible_witness_nodes

395-verify-delayed_node-plugin

431-verify-debug_witness-plugin

461-handle-boost-system-system_error-exception

local_enable_logs_for_irona

merge-develop-to-beatrice-2022-06

bug/378/fix_for_restarting_node_without_replay_option

feature/368/implement_the_witness_capability_to_overwrite_last_hardfork

bug/issue317

issue317-traces

dapp-support

feature/274/redirect_transaction_fees_to_dividends

bug/issue34

bug/issue229

bug-235-update-2

Feature-Enable-parallel-build-testnet-mainnet-cmake

231-docker-with-artifacts

325-refactor-importing-btc-addresses-into-son-wallet

bug/235-stop_corrupts_chain_file-1

bug/empty-json-parsing-failure-2

bug/failure-on-son-related-test-1

bug/issue50

230-docker-image-from-ci-should-be-pushed-to-gitlab-registry-2

bug/issue-50-4

bug/issue50-trace-tid

bug/issue-50-2

bug/issue-50-3

bug/94-docker-build

bug/issue-50

bug/empty-json-parsing-failure

bug/rpc-client-crashes-on-empty-response

bug_fix_warnings

feature/all-in-one-build

feature/cli-activate-deregistered-son

hotfix/fix-sidechain-address-generation

revert-b875f0b8

hotfix/fix-memo-field-encryption

issue/son-for-hive-rpc-connection

hotfix/fix-plugin-cli-option

bug/35-blockchain_replay

merge-beatrice-to-master-2021-11

feature/son-for-hive

feature/son-for-hive-https-support

revert-b806eb85

feature/rel-mainnet-jul21

feature/mainnet-release-jul21

feature/reserve-tokens

feature/beatrice-changes-to-develop

feature/testnet-release-jun2021

feature/add-cliwallet-version

feature/son-wrong-weights

support/sonarcloud

feature/add-get-blocks

feature/sidechain-throttling

63-doc-son-docker-mainnet

issue/dex-crash

feature/port-dex-fixes

feature/hf-btc-flags-change

hotfix/build-warnings-210210

hotfix/master-son-vb-checks

hotfix/check-vesting-balances-for-son

feature/nft_lottery

hotfix/master-hotfixes

hotfix/gitlab

support/ci

hotfix/fix-get-full-accounts

feature/flush-db-during-replay

feature/cli-change-account-keys

feature/gpos-vesting-performance-decay-test

bugfix/374

hotfix/fix-witness-sons-multiple-ids-reading

feature/es-improvements

hotfix/cli-buy-sell-fix

merge_beatrice_to_develop_202012

merge_beatrice_to_master_202012

merge/master-to-beatrice-20201203

tests/code-coverage

feature/build-optimizations

hotfix/build-executables

merge/beatrice2develop

feature/sync-fc-OCT

hotfix/remove_fc_smart_ref

hotfix/remove_smart_ref

hotfix/remove_fc_smart_ref_develop

feature/api_limit_error_msg

hotfix/beatrice_compilation

feature/rl-editline

hotfix/release_build_fix_develop

hotfix/release_build_fix

feature/editline

hotfix/son_maxcount_fix

hotfix/son_fixes

hotfix/son_chain_params

merge/develop2beatrice

feature/SONs-base

feature/bts-210

feature/account_roles

issue375/public_key_type_fix

ws-updates

feature/rng

feature/beatrice_nft_merge

feature/marketplace

issue/mainnet_chain_halt_5050

issue/gpos_rolling_period_issue

issue/beatrice_chain_halt_gpos

feature/nft_market_rbac

feature/nft

feature/rbac

feature/GRPH-45

lottery_crash_reproduction

master_chain_halt_issue

son_deposit_address_enhancements

bitcoin_networktype_fix

SON-314

SON-363

SON-359

fix_tests

hotfix-rawtransaction

feature/SON-135

SON-215_SigningFix

issue_a_gitlab

SON-315

feature/SON-349

SON-BTCPxPlex-Tryouts

feature/SON-347

feature/SON-354

feature/SON-349_SON-350

feature/SON-353

beatrice_master_mar19

feature/SON-134-v4

feature/SON-333-gladcow

feature/beatrice_winner_id

feature/nh5050_winner_id

SON-337

SON-333-v2-sk

feature/SON-333-v2

feature/SON-348

feature/SON-346

feature/SON-344

feature/SON-341

feature/SON-325

feature/SON-320

feature/SON-322_SON-324

SON-291

SON-339

feature/SON-333

feature/SON-305

SON-297_SON-336

feature/SON-307

SON-313

feature/SON-134-alternate

son_account_fix_SON329

feature/SON-332

gitlab_test_clean_build

feature/SON-321_SON-323

feature/SON-288-update

feature/SON-271

feature/SON-311

SON-318_SON-319

feature/SON-312

feature/SON-304

feature/SON-295

SON-122

revert-312-sons_gpos_merge_mar19

SON-24

feature/SON-134

sons_gpos_merge_mar19

sons_gpos_merge_mar18

sons_gpos_merge_mar2

SON127

release/1.5.02

feature/SON-49

SON276

SON275

sync_fc_beatrice

plugins_enable_fix1

SON202_Update

SON118_Add_tx_metrics

feature/SON-270

SON269

SON200_Fix

es_update1

GRPH-160/fix

sync_fc_dev

feature/SON-264

SON261

feature/SON-260

feature/SON-242

unit_test_fixes

feature/SON-209-add

feature/SON-209

feature/SON-238

feature/snapshot

feature/GRPH-155

feature/GRPH-163

updates_from_mainnet

SON131

issue_github_277

2020_1_sync_fix

mainnet-sync-fix

mainet-sync

feature/SON-231

feature/SON-202-fix

SON214

feature/SON-98

SON233

SON232

SON165

SON206_Plugin_CrashFix_Reorg

GPOS-66

feature/SON-214

SON199-TestFailureFix

pbattu123-patch-1

feature/SON-202

feature/GRPH-205

support/gitlab-SONs-base

SON217

SON212_SON213_BuildError

SON212

SON206

SON194

sync-develop

hf-update

feature/SON-208

GPOS-1

beatrice_hf_1.4.1

SON207

feature/SON-203

GRPH-170

feature/GRPH-166

feature/SON-205

feature/BLOCKBACK-186-Bug-Fix

feature/GRPH-169

SON193

BLOCKBACK-186

feature/GRPH-152

BLOCKBACK-183

BLOCKCBACK-187

BLOCKBACK-187

feature/GRPH-168

feature/GRPH-167

feature/SON-196

203

feature/SON-195

feature/SON-158

GRPH-46

feature/GRPH-92

feature/GRPH-162

GRPH-159

feature/GRPH-160

update-submodule

BLOCKBACK-181

feature/BLOCKBACK-182

feature/GRPH-49-test-case

support/gitlab-develop

BLOCKBACK-177

GRPH-81

SON130

feature/GRPH-150

feature/SON-167

feature/SON-150

fc-commit-update

GRPH134

feature/GRPH-99

GRPH134_#198-HighCPU_Usage

qa_gpos_18.04

feature/BLOCKBACK-162

son_165

feature/SON-113-fix

feature/SON-160-fix

son_168

BLOCKBACK-155

feature/SON-142

BLOCKBACK-174

fix_flag

feature/BLOCKBACK-166

BLOCKBACK_164

feature/BLOCKBACK-165

SON126

feature/SON-113

BLOCKBACK-164

BLOCKBACK--164

oxarbitrage-patch-1

feature/SON-17

son_vesting

feature/GRPH-131

support/docker

SON118

feature/SON-115

son_wallet_clean

feature/GRPH-126

feature/GRPH-127

son_objects_operations

feature/SON-109

feature/SON-108

feature/SON-110

feature/SON-operations

feature/SON-137-GitModule-Update

feature/SON-83

feature/SON-107

feature/GRPH-2-GitModule-Update

jira-163-fix

153/fix-add-on

feature/GRPH-2-Git-Module-Update

feature/GRPH-79-Bug-Fix

feature/GRPH-3

feature/GRPH-117

gpos-testfix

feature/GRPH-90

feature/SON-84

feature/GRPH-114

feature/GRPH-95

118

feature/GRPH-112

issue/154-fix

GRPH-50-network_broadcast_api-fix-v2

BLOCKBACK-153

BLOCKBACK-154

feature/GRPH-94

feature/GRPH-111

feature/GRPH-83

feature/SON-5

feature/GRPH-93-v2

feature/GRPH-106

feature/GRPH-64

feature/GRPH-86

SON11

graphene-release1

GRPH-75

feature/GRPH-79

GRPH-73-fix-block-id-forks

feature/GRPH-88

pbsa-github-patch-1

feature/GRPH-80

feature/GRPH-93

feature/GRPH-87

feature/test-grph-3

feature/SON-83-plugins-option

GRPH-89

feature/SON-83-SON-plugin

support/gitlab-master

feature/SONs-base-build-1804

support/gitlab-beatrice

GRPH-4-update-submodule

feature/tweakes-README

GRPH-56-implement-tx-size-check-18.04

GRPH-56-implement-tx-size-check-master

github-issue-template1

support/gitlab

review-fixes

hardfork-50/50

cli_wallet_tests

rng_api

feature/GRPH-76

feature/GRPH-78

GRPH-59-Proposal-failure-handling

GRPH-71

feature/GRPH-61

feature/GRPH-77

issue-154

feature/GRPH-63

GRPH-3-cli-tests-18.04

GRPH-63-Authorize-Tx-Bug-18.04

GRPH-70

GRPH-51

pp_travis

WASM-49

GRPH-4

GRPH-53

feature/GRPH-54

GRPH-60

feature/GRPH-48

GRPH-48-Object-Database-18.04

GRPH-66

qa_gpos_18.04_gcc7_fix

GRPH-60-ProposalNestedRecursionGuard

GRPH-64-Variable-fix-18.04

GRPH-57-CompilerWarningFixesDBTests

GRPH-54-sign-transaction-fix-master

GRPH-54-sign-transaction-fix-18.04

qa_gpos_18.04_docker_img

GRPH-50-network_broadcast_api-fix

beatrice-5050-merge

Issue23-check-transaction-size

issue23-check-transaction-size

feature/5050

hotfix/readme

hotfix/readme-branch-from-gitlab

hotfix/docker

hotfix/docker-branch-from-gitlab

hotfix/unit-tests

hotfix/unit-tests-branch-from-gitlab

feature/manager-for-sports-and-underlying

feature-sidechain

1.6.1

1.6.0

1.5.25-beta

1.5.24-beta

1.5.23-beta

1.5.22-alpha

1.5.21-alpha

1.5.20-alpha

1.5.19

1.5.18

1.5.17

1.5.16

1.5.15

1.5.14

1.5.13

1.5.12

test-1.5.5

test-1.5.4

test-1.5.3

1.5.11

1.5.10

test-1.5.2

test-1.5.1

test-1.5.0

test-1.4.5

1.4.4

1.4.3

test-1.4.4

1.5.05

1.5.04

1.5.03

1.5.02

test-1.4.3

SON0.0.1

1.5.01

1.4.2

test-1.4.2

1.4.2-alpha

test-1.4.1

1.4.1-alpha

test-1.4.0

1.3.1

Ignore

1.3.0

1.2.0

1.1.0

1.0.0

Labels

Clear labels   

confirmed

  

DevOps

  

documentation

  

enhancement

  

incident

Denotes a disruption to IT services and the associated issues require immediate attention

  

Medium

  

priority::Critical

(optional) Issues that are marked as critical priority. Should be taken care of ASAP.

  

priority::High

(optional) Issues that are marked as high priority.

  

priority::Low

(optional) Issues that are marked as low priority.

  

priority::Medium

(optional) Issues that are marked as medium priority.

  

QA-TestCases::Done

QA-Labels

  

QA-TestCases::InProgress

QA-Labels

  

RNG

  

security

(optional) Issues that relate to the security of the project.

  

severity:: Critical

  

severity:: High

  

severity:: Low

  

severity:: Medium

  

state:: Accepted

Issues that are newly created and have been accepted after review.

  

state:: Blocked

Issues that cannot be worked on due to other factors linked to it.

  

state:: Done

Issues that are closed with a working solution.

  

state:: in progress

Issues that are currently being worked on.

  

state:: in review

Issues that require a proposed solution to be reviewed.

  

state:: on hold

Issues that were at least accepted, that should not be worked on at the moment.

  

state:: Pending

Issues that are newly created and haven't been reviewed.

  

state:: Pushed to Prod

Tickets are verified in the stage infra and needs to be deployed in the production

  

state:: Revision Needed

Issues that need to be revised before being accepted.

  

state::out-of-scope

Task and issues which are out of scope due to change in requirements

  

suggestion

  

support

  

To Do

  

type :: Discussion

  

type :: Duplicate

(optional) Issues that are duplicates of existing issues in the same project.

  

type:: interaction-design

  

type:: New Feature

Issues that bring new functionality to the project.

  

type::bug

BUG

  

type::documentation

Issues that relate to the documentation of the project.

  

type::incident

severe issues that require immediate response

  

type::maintenance

Issues that require maintenance on the project.

  

type::question

Issues that are questions related to the project.

  

type::recurring-tasks

This label is used to track recurring tasks which may repeat daily, weekly or monthly.

  

vulnerability

No labels

confirmed

DevOps

documentation

enhancement

incident

Medium

priority::Critical

priority::High

priority::Low

priority::Medium

QA-TestCases::Done

QA-TestCases::InProgress

RNG

security

severity:: Critical

severity:: High

severity:: Low

severity:: Medium

state:: Accepted

state:: Blocked

state:: Done

state:: in progress

state:: in review

state:: on hold

state:: Pending

state:: Pushed to Prod

state:: Revision Needed

state::out-of-scope

suggestion

support

To Do

type :: Discussion

type :: Duplicate

type:: interaction-design

type:: New Feature

type::bug

type::documentation

type::incident

type::maintenance

type::question

type::recurring-tasks

vulnerability

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: Peerplays_Blockchain/peerplays_migrated#529

No description provided.