Possible replay attack

Technical Issue Reporting
#1

Hi,

I have an dApp that based on Moralis. It was working well but recently due to the new Load balancer, we are facing with a critical problem:

  • In our app, we have an endpoint that allow user to claim the reward
  • To prevent user from replay attacking (claim reward twice/triple) with a very fast request rate, we implement a software Rate limit by a global state in Cloud function (use a global var to keep the requests state). It was working well because dApp was on single process/single instance. Now there are process per core so we have n state => user can replay attack to claim n times.

So my question is:

  • Do you have Rate limit per userId on Moralis ?
  • Do you have shared memory to use between processes ?
  • In worst case, can we rollback to single process ?
    Because it’s very critical for us, all our users can claim double/triple so we need to react ASAP.

Thanks for your helps.

#2

I think that you should handle that claim limit in the smart contract logic. How is that a user can claim twice?
You can also save info in Moralis database for a user after he maid a claim.

1 Like
#3

@cryptokid, thanks for your answer.

We decided to implement the logic in the cloud function instead of contract to avoid all the tx cost of blockchain. We have set a flag in Moralis DB but if there are 2 requests arrive at the same time (easily simulate that by any request software), the DB is not fast enough to prevent the replay attack.

#4

Can you send me a DM in discord?

#5

Sure, Can you send me your discord pls ?

#6

Hey @yo1110

With replay attacking to you mean re-entrancy (the DAO hack to be clear)?

#7

@dani: in our case, user can replay his request to cloud function multi times. this is only for cloud function logic, not really related to blockchain smartcontract

1 Like