From 8f68af5da063e57b10e411012eacccf05f269413 Mon Sep 17 00:00:00 2001 From: Daniel Liu Date: Thu, 13 Mar 2025 16:47:42 +0800 Subject: [PATCH 1/2] eth/gasprice: add query limit for FeeHistory to defend DDOS attack (#29644) --- eth/gasprice/feehistory.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/eth/gasprice/feehistory.go b/eth/gasprice/feehistory.go index 4d7e439437..598972181a 100644 --- a/eth/gasprice/feehistory.go +++ b/eth/gasprice/feehistory.go @@ -42,6 +42,8 @@ const ( // maxBlockFetchers is the max number of goroutines to spin up to pull blocks // for the fee history calculation (mostly relevant for LES). maxBlockFetchers = 4 + // maxQueryLimit is the max number of requested percentiles. + maxQueryLimit = 100 ) // blockFees represents a single block for processing @@ -221,6 +223,9 @@ func (oracle *Oracle) FeeHistory(ctx context.Context, blocks uint64, unresolvedL if len(rewardPercentiles) != 0 { maxFeeHistory = oracle.maxBlockHistory } + if len(rewardPercentiles) > maxQueryLimit { + return common.Big0, nil, nil, nil, fmt.Errorf("%w: over the query limit %d", errInvalidPercentile, maxQueryLimit) + } if blocks > maxFeeHistory { log.Warn("Sanitizing fee history length", "requested", blocks, "truncated", maxFeeHistory) blocks = maxFeeHistory From 5ef815a6c9f8f68f97ef6bc2e8100d85cef597a7 Mon Sep 17 00:00:00 2001 From: Daniel Liu Date: Thu, 13 Mar 2025 16:54:27 +0800 Subject: [PATCH 2/2] eth/gasprice: sanity check ratio values (#31270) --- eth/gasprice/feehistory_test.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/eth/gasprice/feehistory_test.go b/eth/gasprice/feehistory_test.go index f3344348c2..7fc77d57ed 100644 --- a/eth/gasprice/feehistory_test.go +++ b/eth/gasprice/feehistory_test.go @@ -83,6 +83,11 @@ func TestFeeHistory(t *testing.T) { if len(ratio) != c.expCount { t.Fatalf("Test case %d: gasUsedRatio array length mismatch, want %d, got %d", i, c.expCount, len(ratio)) } + for _, ratio := range ratio { + if ratio > 1 { + t.Fatalf("Test case %d: gasUsedRatio greater than 1, got %f", i, ratio) + } + } if err != c.expErr && !errors.Is(err, c.expErr) { t.Fatalf("Test case %d: error mismatch, want %v, got %v", i, c.expErr, err) }