0-conf possible attack using large transactions

[cmaves]

By making a very simple modification to the monero-wallet-rpc, one can generate a valid low priority transaction that is small enough to be relayed, but large enough to never be confirmed by the network. After looking through the code. I looked through the code and I didn't see a protection against this kind of attack.

After 24 hours this transaction will drop from the mempool and the sender will be able to use the Monero again.

[emesik]

This could be a mempool spam attack against the daemon itself. Don't you think it's worth reporting upstream, with some more details on how to perform it?

[amiuhle]

I agree, transactions like this shouldn't be propagated through the network.

[cmaves]

I made an issue on the monero repo.
monero-project/monero#3189

[cmaves]

I'll leave this issue open until it is either fixed on the upstream or fixed in kasisto itself

[anonimal]

@cmaves In the future, please respect responsible disclosure by using using Monero's Vulnerability Response Process regardless of whether this issue is a confirmed vulnerability or not. Thank you.