fix: prevent feeless blockspace DDoS via pre-dispatch validation #367
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add architecture decision record documenting the approach to prevent DDoS attacks where failed transactions consume blockspace without paying fees. Ticket: PM-20944
Contributor
|
Great job! No new security vulnerabilities introduced in this pull request |
Add validation in pre_dispatch to detect and reject transactions whose guaranteed part would fail before they are included in blocks. This prevents a DDoS attack vector where attackers could fill blocks with transactions that fail the guaranteed phase (before fees are extracted), consuming blockspace without paying fees. Changes: - Add Ledger::validate_guaranteed_execution() for dry-run validation - Add Bridge::validate_guaranteed_execution() method - Add host API function for validate_guaranteed_execution - Enhance pre_dispatch to call guaranteed validation The validation performs a dry-run of the transaction application to detect TransactionResult::Failure without persisting any state changes. Transactions that would fail are rejected with InvalidTransaction error. Ticket: PM-20944
…com/midnightntwrk/midnight-node into fix/prevent-feeless-blockspace-ddos
Add required feature flags to dev-dependencies: - midnight-node-ledger-helpers: add 'can-panic' for extract_info_from_tx_with_context - midnight-node-ledger: add 'std' and 'test-utils' for BlockContext conversion This fixes pre-existing test infrastructure issues that prevented pallet tests from compiling.
Add unit tests to verify the DDoS mitigation works correctly: - test_pre_dispatch_accepts_valid_transaction: valid tx passes - test_pre_dispatch_rejects_contract_not_present: tx calling missing contract rejected - test_pre_dispatch_rejects_malformed_transaction: malformed tx rejected These tests verify that transactions which would fail the guaranteed part are rejected at pre_dispatch time, preventing blockspace consumption without fee payment. Ticket: PM-20944
- TC-0003-02: test_pre_dispatch_rejects_replay_attack - TC-0003-05: test_pre_dispatch_validation_does_not_modify_state - TC-0003-05: test_pre_dispatch_validation_does_not_modify_state_on_failure All 16 pallet unit tests passing.
…into fix/prevent-feeless-blockspace-ddos
- ADR-0003: Convert to standard template structure with proper Status section, Context with force subsections, consolidated Decision section, and Confirmation criteria - Test Plan: Convert to table format with hyperlinked Test IDs and symbols, remove redundant sections, add Running Tests commands
Remove suffixes (b, e2e) and ADR number from test IDs. Now uses simple PR367-TC-01 through PR367-TC-08 format.
…ution Address PR review comment explaining that while validate_unsigned() already performs well_formed() validation, we must call it again here because: - apply() requires a VerifiedTransaction type - The earlier validation discards that result - This is a type-system constraint, not redundant logic
- docs/decisions/0003-prevent-feeless-blockspace-ddos.md -> docs/architecture/adr-prevent-feeless-blockspace-ddos.md - docs/tests/0003-prevent-feeless-blockspace-ddos.md -> docs/tests/test-plan-prevent-feeless-blockspace-ddos.md
This reverts commit c201f0c.
justinfrevert
approved these changes
Dec 19, 2025
- Add replay_attack_rejected_via_rpc E2E test - Verifies duplicate transaction submission is rejected at pre_dispatch - Complements existing DDoS mitigation tests (TC-0003-06) WP: Prevent Feeless Blockspace DDoS
…into fix/prevent-feeless-blockspace-ddos
m2ux
force-pushed
the
fix/prevent-feeless-blockspace-ddos
branch
from
7718448 to
b9f4be3
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add pre-dispatch validation to prevent transactions whose guaranteed part will fail from being included in blocks, closing a DDoS attack vector where attackers can fill blocks without paying fees.
🎫 Ticket 📐 ADR 🧪 Test Plan
Motivation
Midnight transactions have a two-phase execution model where the guaranteed part always executes (and extracts fees) while the fallible part may succeed or fail. A DDoS vulnerability exists where transactions can pass structural validation (
well_formed()) but fail during guaranteed execution—consuming blockspace without paying fees.An attacker can exploit this by flooding the network with structurally valid transactions designed to fail the guaranteed part (e.g., calling non-existent contracts, replaying transactions), filling blocks at zero cost and denying service to legitimate users.
Changes
validate_guaranteed_execution()to simulate guaranteed part execution without modifying statevalidate_guaranteed_executionthrough the Bridge API and host functionspre_dispatchhook to call validation before block inclusion📌 Submission Checklist
🔱 Fork Strategy
🗹 TODO before merging