Transaction Size DoS Remediation
How to fix transaction size DoS vulnerabilities.
Transaction Size DoS Remediation
Overview
Related Detector: Transaction Size DoS
Unbounded account lists can exceed Solana’s 1232-byte transaction size limit. The fix is to enforce maximum account count limits on all dynamically-sized CPI account lists and to use pagination for large batch operations.
Recommended Fix
Before (Vulnerable)
for key in user_provided_keys.iter() {
accounts.push(AccountMeta::new(*key, false));
}After (Fixed)
const MAX_BATCH: usize = 20;
require!(user_provided_keys.len() <= MAX_BATCH, ErrorCode::TooManyAccounts);
for key in user_provided_keys.iter() {
accounts.push(AccountMeta::new(*key, false));
}Alternative Mitigations
Address Lookup Tables
Use Solana’s Address Lookup Tables to compress account references in versioned transactions:
const lookupTable = await createLookupTable(connection, payer, accounts);
const messageV0 = new TransactionMessage({
payerKey: payer.publicKey,
recentBlockhash,
instructions,
}).compileToV0Message([lookupTable]);Common Mistakes
Mistake: Only Checking in Client Code
// WRONG: client-side check only -- attacker can bypass
if (accounts.length > 30) throw new Error("Too many accounts");Always enforce limits on-chain in the program itself.