solana: Durable nonce transactions resulting in an instruction error allow fee theft

Problem

Solana typically charges fees on transactions which succeed or fail with an InstructionError. In the event of the latter, the state of every modified account is also rolled back to before execution. Since a durable nonce transaction advances the stored nonce with an instruction, if the transaction fails with an InstructionError, the old stored nonce is replaced. Due to durable nonces having arbitrary lifetimes, it is infeasible to maintain a signature blacklist against each nonce value, ala. StatusCache. As such, these failed transactions can be replayed and fees charged until the stored nonce value is successfully advanced.

Proposed Solution

The stored nonce MUST advance whenever the account state or balance changes, including paying fees. This can be achieved by always storing the updated nonce accounts.

Alternatively, the stored nonce can be advanced outside the program. If this path is chosen, moving the durable nonce feature into system program should be considered.

cc/ @rob-solana

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 18 (18 by maintainers)

Most upvoted comments

@t-nelson those test accounts can safely be made zero-data

+1
rob-solana on Dec 28, 2019

@rob-solana @t-nelson why not just let it be. The transaction should succeed, and the user can guard against failure by using a low balance system account.

the main user is currently planning to have a non-trivial balance in the fee account

+1
rob-solana on Dec 20, 2019

new species of system account

+1
rob-solana on Dec 17, 2019
Read more comments on GitHub
← solana: Duplicate signature detection is probably slow and unnecessary
solana: error: package `solana-program v1.18.0` cannot be built because it requires rustc 1.72.0 or newer, while the currently active rustc version is 1.68.0-dev →