fix(rpc): prevent memory exhaustion attack in eth_getStorageAt by limit

[0xbigapple]

What does this PR do?
This PR adds a defensive length check for the storageIdx parameter in the eth_getStorageAt JSON-RPC method before it is hex-decoded. It enforces a strict maximum length (66 characters with the 0x prefix, 64 without) and correctly rejects empty strings, throwing a standard -32602 Invalid Params exception.

Why are these changes required?
To prevent a resource exhaustion (DoS) vulnerability. Without this length check, an attacker could supply an exceptionally large, multi-megabyte hex string as the storageIdx. The underlying ByteArray.fromHexString method would attempt to allocate a massive byte array in the JVM heap during decoding, potentially leading to immediate memory exhaustion (OOM) and node crashes. This aligns our RPC security with execution layer standards (similar to Ethereum's recent fix in go-ethereum PR #32750).

This PR has been tested by:

• Unit Tests (JsonrpcServiceTest.testGetStorageAt)
• Manual Testing

Follow up
None.

Extra details

• The maximum length of 64 hex characters maps strictly to the 32-byte (256-bit) nature of TVM/EVM storage keys. Any string exceeding this length is mathematically invalid as a storage key.
• The change is fully backwards compatible for all correctly-formed requests.

---

Summary by cubic

Adds input validation to eth_getStorageAt to prevent memory exhaustion by rejecting blank, 0x-only, or oversize storageIdx with -32602 Invalid Params. This blocks DoS attempts while keeping valid 32-byte keys working.

• Bug Fixes
  • Enforce storageIdx rules: max 64 hex chars (66 with 0x), not blank, and not just 0x.
  • Updated tests to cover blank/0x/oversize indexes and keep tag validation using a minimal valid index.

^{Written for commit 1be7ee5. Summary will update on new commits.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 49ae5a82-592e-4d6e-b544-81a147a00917

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/storageIdx-dos-vulnerability

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="framework/src/main/java/org/tron/core/services/jsonrpc/TronJsonRpcImpl.java">

<violation number="1" location="framework/src/main/java/org/tron/core/services/jsonrpc/TronJsonRpcImpl.java:538">
P2: The new storage index validation still accepts `"0x"` (empty hex), which is then interpreted as storage slot zero instead of being rejected as invalid input.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}