From 95705e8b7b6e021b3312c4dc9c817b7646bf67af Mon Sep 17 00:00:00 2001 From: Sina M <1591639+s1na@users.noreply.github.com> Date: Mon, 30 Mar 2026 10:01:30 +0200 Subject: [PATCH] internal/ethapi: limit number of getProofs keys (#34617) We can consider making this limit configurable if ever the need arose. --- internal/ethapi/api.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/internal/ethapi/api.go b/internal/ethapi/api.go index a62328e201..4f217d0578 100644 --- a/internal/ethapi/api.go +++ b/internal/ethapi/api.go @@ -57,6 +57,10 @@ const estimateGasErrorRatio = 0.015 // be requested in a single eth_getStorageValues call. const maxGetStorageSlots = 1024 +// maxGetProofKeys is the maximum number of storage keys that can be +// requested in a single eth_getProof call. +const maxGetProofKeys = 1024 + var errBlobTxNotSupported = errors.New("signing blob transactions not supported") var errSubClosed = errors.New("chain subscription closed") @@ -362,6 +366,9 @@ func (n *proofList) Delete(key []byte) error { // GetProof returns the Merkle-proof for a given account and optionally some storage keys. func (api *BlockChainAPI) GetProof(ctx context.Context, address common.Address, storageKeys []string, blockNrOrHash rpc.BlockNumberOrHash) (*AccountResult, error) { + if len(storageKeys) > maxGetProofKeys { + return nil, &invalidParamsError{fmt.Sprintf("too many storage keys requested (max %d, got %d)", maxGetProofKeys, len(storageKeys))} + } var ( keys = make([]common.Hash, len(storageKeys)) keyLengths = make([]int, len(storageKeys)) @@ -393,6 +400,9 @@ func (api *BlockChainAPI) GetProof(ctx context.Context, address common.Address, } // Create the proofs for the storageKeys. for i, key := range keys { + if err := ctx.Err(); err != nil { + return nil, err + } // Output key encoding is a bit special: if the input was a 32-byte hash, it is // returned as such. Otherwise, we apply the QUANTITY encoding mandated by the // JSON-RPC spec for getProof. This behavior exists to preserve backwards