Possible exploit issue with the way Geth displays the "internals transaction" tracing #21489
Comments
|
For context when we did a similar trace_transaction via OE (Parity) for the same transaction hash and the result shows a correct 0 value Eth transfer instead of 10k
|
mtbitcoin
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Geth version:
1.9.18OS & Version: Windows
This is related to the issue reported on https://twitter.com/r_ross_campbell/status/1297508597958692865?s=20
A user was able to spoof a call showing a 10k ether transfer on Rinkeby via https://rinkeby.etherscan.io/address/0x0c62da719a00659661e8c08c629897eddc72067f#code
To trace "internal txns" in geth we use the call tracer
(https://rinkeby.etherscan.io/vmtrace?txhash=0x7f8deeaff1618c372f14f3153b154d8bdd0f11816c85b2c9b3dca32cc042cf02&type=gethtrace2) which show an incorrect value of 10k ether.
The openEthereum (Parity) client however does not have this issue. A possible attacker could use this to spoof transfers to a 3rd party that solely relies on the debug_traceTransaction (callTracer) to check for internal txn transfers ether transfers taking place. This issue also affects any other explorers/exchanges/projects that rely on the same tracer
The text was updated successfully, but these errors were encountered: