@tjade273 thinking some more about value-bearing calls, I realized that our current protection (dropping validations that change any account balance except the wallet and the entry point) is not good enough. The value-bearing call you suggested could be a self-call by some 3rd party account, so there’s no balance change. So the current protection won’t stop this DoS:
- Wallets call EvilContract.func() during validation.
- EvilContract.func() attempts to call its own receive function with 1 wei, reverting if it fails. When it has 1 wei it is not caught by the current protection because the balance remains 1 wei.
- Attacker sends ops from 1000 wallets with this validation function while EvilContract has 1 wei. Validations succeed and the ops are accepted to the mempool.
- Attacker tells EvilContract to send the 1 wei elsewhere.
- All ops fail validation in the 2nd simulation.
We’ll update the EIP to also ban value-bearing calls during validation, except from the wallet to the entry point.
Thanks again for your valuable comments.