[UTXO-BUG] CRITICAL: Token conservation bypass allows arbitrary asset creation#3934
Closed
BossChaos wants to merge 2 commits intoScottcjn:mainfrom
Closed
[UTXO-BUG] CRITICAL: Token conservation bypass allows arbitrary asset creation#3934BossChaos wants to merge 2 commits intoScottcjn:mainfrom
BossChaos wants to merge 2 commits intoScottcjn:mainfrom
Conversation
- Updates python-socketio to latest stable version 5.16.1 - Includes bug fixes and performance improvements - Closes Scottcjn#2830
Demonstrates that UTXO layer does not enforce token conservation, allowing attackers to mint arbitrary tokens from nothing. Vulnerability class: Asset creation bypass Severity: Critical (200 RTC) - Fund creation equivalent for tokens Test cases prove: 1. Tokens can be created from nothing in apply_transaction() 2. Tokens can be destroyed without proper validation 3. Mempool also lacks token conservation checks The apply_transaction() method only validates nRTC conservation (sum of inputs == sum of outputs + fee) but completely ignores the tokens_json field, violating the UTXO invariant that outputs cannot contain more of any asset than inputs. Fix required: Add token balance tracking to apply_transaction() and mempool_add() to ensure token conservation.
github-actions
Bot
added
BCOS-L1
Owner
|
Closing as superseded by #3935 which contains:
#3935 is the comprehensive PR that includes everything here plus the actual remediation code. Reviewing + paying against #3935. No need for two separate payouts when one PR does the full job. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Summary
Type: Asset creation bypass (Critical severity)
Reward Tier: 200 RTC (Critical - Fund creation equivalent for tokens)
File:
node/utxo_db.py-apply_transaction()methodDescription
The UTXO layer does not enforce token conservation, allowing attackers to mint arbitrary tokens from nothing.
Attack Scenario
tokens_jsonapply_transaction()accepts the transaction because it only checks nRTC conservationProof of Concept
See
tests/test_utxo_token_conservation.py- failing test cases demonstrate:Token creation from nothing (
test_token_creation_from_nothing)Token destruction without validation (
test_token_destroy_without_spending)Mempool lacks token checks (
test_mempool_allows_token_creation)Impact
Required Fix
Add token balance tracking to:
apply_transaction()- enforce input tokens == output tokens for each token_idmempool_add()- reject transactions that violate token conservationTest Case
Run:
python3 tests/test_utxo_token_conservation.py -vTests currently PASS (demonstrating the bug exists) and should FAIL after the fix is applied.