Skip to main content
Sigvex

Transaction Size DoS Remediation

How to fix transaction size DoS vulnerabilities.

Transaction Size DoS Remediation

Overview

Related Detector: Transaction Size DoS

Unbounded account lists can exceed Solana’s 1232-byte transaction size limit. The fix is to enforce maximum account count limits on all dynamically-sized CPI account lists and to use pagination for large batch operations.

Before (Vulnerable)

for key in user_provided_keys.iter() {
    accounts.push(AccountMeta::new(*key, false));
}

After (Fixed)

const MAX_BATCH: usize = 20;
require!(user_provided_keys.len() <= MAX_BATCH, ErrorCode::TooManyAccounts);
for key in user_provided_keys.iter() {
    accounts.push(AccountMeta::new(*key, false));
}

Alternative Mitigations

Address Lookup Tables

Use Solana’s Address Lookup Tables to compress account references in versioned transactions:

const lookupTable = await createLookupTable(connection, payer, accounts);
const messageV0 = new TransactionMessage({
  payerKey: payer.publicKey,
  recentBlockhash,
  instructions,
}).compileToV0Message([lookupTable]);

Common Mistakes

Mistake: Only Checking in Client Code

// WRONG: client-side check only -- attacker can bypass
if (accounts.length > 30) throw new Error("Too many accounts");

Always enforce limits on-chain in the program itself.

References