UtxosChanged subscriptions are still accepted when utxoindex is disabled, as long as the request contains a non-empty address list.
That looks like a bug. In this configuration the node cannot actually serve UTXO-change notifications, but it still accepts the request and mutates subscription / tracker state. A remote client can keep sending large sets of unique addresses and force the node to retain useless state in memory.
From reading the code, only the blanket case is rejected:
- rpc/service/src/service.rs:1313
Relevant paths:
- rpc/service/src/service.rs:165-205
- notify/src/scope.rs:157
- notify/src/subscription/context.rs:27
- notify/src/address/tracker.rs:247
- rpc/wrpc/server/src/service.rs:16
Expected behavior:
If utxoindex is disabled, all UtxosChanged subscriptions should be rejected before notifier / tracker state is changed.
Suggested fix:
- Reject all
UtxosChanged subscriptions when utxoindex is disabled.
- Add a hard cap on addresses per request and per listener.
- Deduplicate addresses before registration.
- Add a regression test that verifies rejected subscriptions do not mutate tracker state.
UtxosChanged subscriptions are still accepted when
utxoindexis disabled, as long as the request contains a non-empty address list.That looks like a bug. In this configuration the node cannot actually serve UTXO-change notifications, but it still accepts the request and mutates subscription / tracker state. A remote client can keep sending large sets of unique addresses and force the node to retain useless state in memory.
From reading the code, only the blanket case is rejected:
Relevant paths:
Expected behavior:
If
utxoindexis disabled, allUtxosChangedsubscriptions should be rejected before notifier / tracker state is changed.Suggested fix:
UtxosChangedsubscriptions whenutxoindexis disabled.