Remove Loki tx_extra support and harden vector deserializer by MoneroOcean · Pull Request #39 · MoneroOcean/node-blocktemplate

MoneroOcean · 2026-06-03T18:36:13Z

Address a high-risk DoS vector where newly-registered Loki tx_extra types exposed attacker-controlled std::vector counts that could trigger large reserve allocations during parsing.
Project decision: Loki support is no longer required, so eliminating Loki-specific tx_extra types both removes the attack surface and simplifies maintenance.

Removed Loki service-node and key-image tx_extra constants, types, serializers, and variant registrations in src/cryptonote_basic/tx_extra.h so those tags are no longer recognized by the parser.
Removed the BLOB_TYPE_CRYPTONOTE_LOKI enum entry from src/cryptonote_config.h and updated code paths that previously referenced Loki.
Renamed/re-scoped the previous Loki/XTNC naming to XTNC-specific symbols (xtnc_version / xtnc_type) and limited XTNC/transaction-type branches to BLOB_TYPE_CRYPTONOTE_XTNC in src/cryptonote_basic/cryptonote_basic.h and src/main.cc.
Mitigated the vector-allocation amplification by removing the pre-parse v.reserve(cnt) call from src/serialization/vector.h, preventing attacker-controlled counts from causing large premature allocations.

Ran rg searches for Loki/service-node/key-image symbols and confirmed no remaining matches (search returned no hits). (succeeded)
Ran git diff --check to validate whitespace/diff issues. (succeeded)
Attempted npm test but it was blocked by registry access errors (403 Forbidden fetching bech32), so full JS test execution could not complete. (blocked)
Attempted a local C++ syntax-only compile but it failed due to missing Boost headers in the environment, so a full native build could not be validated here. (blocked)

Remove Loki transaction extra support

f96a9ce

MoneroOcean added the codex label Jun 3, 2026 — with ChatGPT Codex Connector

Restore XEQ blob type after Loki removal

21546ad

Provide feedback