From 9d2df76db0a25f39b46516e8c73a586b0663ff6d Mon Sep 17 00:00:00 2001
From: beer-1 <147697694+beer-1@users.noreply.github.com>
Date: Thu, 16 Jan 2025 12:42:03 +0900
Subject: [PATCH] fix: add tx protected check at `eth_sendRawTranasaction` api
 (#144)

* add tx protected check at eth_sendRawTranasaction api

* update jsonrpc readme

* add test case
---
 jsonrpc/README.md     | 2 +-
 jsonrpc/backend/tx.go | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/jsonrpc/README.md b/jsonrpc/README.md
index dcfa2592..3499a7a0 100644
--- a/jsonrpc/README.md
+++ b/jsonrpc/README.md
@@ -34,7 +34,7 @@ The ETH JSON-RPC (Remote Procedure Call) is a protocol that allows clients to in
 | eth       | eth_fillTransaction                        | 🚫        | Fills the defaults (nonce, gas, gasPrice or 1559 fields) on a given unsigned transaction, and returns it to the caller for further processing (signing + broadcast). |
 | eth       | eth_sendTransaction                        | 🚫        | Creates a new message call transaction or a contract creation if the data field contains code.                                                                       |
 | eth       | eth_resend                                 | 🚫        | Remove the given transaction from the pool and reinsert it with the new gas price and limit.                                                                         |
-| eth       | eth_sendRawTransaction                     | ✅        | Sends a signed transaction to the network.                                                                                                                           |
+| eth       | eth_sendRawTransaction                     | ✅        | Sends a signed transaction to the network. Only replay-protected (EIP-155) transactions are accepted.                                                                |
 | eth       | eth_call                                   | ✅        | Executes a new message call immediately without creating a transaction on the block chain.                                                                           |
 | eth       | eth_estimateGas                            | ✅        | Generates an estimate of how much gas is necessary to allow the transaction to complete.                                                                             |
 | eth       | eth_getBlockByHash                         | ✅        | Returns information about a block by hash.                                                                                                                           |
diff --git a/jsonrpc/backend/tx.go b/jsonrpc/backend/tx.go
index b1d8f9b6..b2544cf5 100644
--- a/jsonrpc/backend/tx.go
+++ b/jsonrpc/backend/tx.go
@@ -29,6 +29,11 @@ func (b *JSONRPCBackend) SendRawTransaction(input hexutil.Bytes) (common.Hash, e
 		return common.Hash{}, err
 	}
 
+	if !tx.Protected() {
+		// Ensure only eip155 signed transactions are submitted if EIP155Required is set.
+		return common.Hash{}, errors.New("only replay-protected (EIP-155) transactions allowed over RPC")
+	}
+
 	if err := b.SendTx(tx); err != nil {
 		return common.Hash{}, err
 	}