Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

trustchain.db is storing blocks from other apps which makes DOS attacks possible #80

Open
Artanidos opened this issue May 25, 2023 · 2 comments

Comments

@Artanidos
Copy link

I discovered that also blocks from other apps, peerchat in my case, are stored in the database.
Not aware that this might happen I tried to unpack the transaction, which results in a crash.

What I had to do is to check block.type before unpacking.
What I can also do is to change the serviceId for the TrustChainCommunity, but as we are also open source, this serviceId is also addressable by other apps. What I fear is that someone can use DOS attacks to make the db explode (no disk space left).

Am I missing something?
I would rather add an encrypted API key in the blocks, so that the app can check if this block comes from the same app and only store those blocks.

@InvictusRMC
Copy link
Member

This is indeed the current behaviour. You can overcome this attack vector by validating blocks before they're saved.

@Artanidos
Copy link
Author

Thx for quick reply.
I initialize the trustchain as follows, in this case I can only validate our own specific blocks.
trustchain.registerTransactionValidator(Backend.BLOCK_TYPE, object : TransactionValidator {

Do I have to subclass the TrustChainCommunity, rewrite the class itself or are there better posibilities?
Sry, for asking noob questions, but I started with Kotlin 2 weeks ago. I am more the C/C++/C# guy ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants