Ethereum RPC Attack Methods and Defense Recommendations

Introduction

Since Ethereum’s launch in 2015, security incidents have repeatedly surfaced, the most famous being the 2016 DAO hack caused by a smart‑contract vulnerability that led to the theft of about $60 million worth of Ether. The Ethereum team performed a hard fork, resulting in two chains: Ethereum Classic (ETC) and the new Ethereum (ETH).

In the same year, a vulnerability in Ethereum RPC services—referred to as the "stealth" or "pass‑through" vulnerability—allowed attackers to steal funds without possessing the wallet’s private key or node‑server permissions.

Geth added the personal_sendTransaction interface in January 2018 to mitigate the pass‑through issue caused by personal_unlockAccount . However, many other RPC vulnerabilities remain unaddressed, and honeypot data shows that attacks have not decreased.

1. Pass‑Through (Unlock‑Account) Attack

The attacker scans for nodes with an open RPC port and repeatedly calls eth_sendTransaction . When a legitimate user unlocks their wallet, the attacker’s transaction—usually with a higher gas price—gets prioritized and the funds are transferred.

2. Miner‑Address Attack

If the node enables the miner module, the attacker can use miner_setEtherbase to change the address that receives mining rewards.

3. Brute‑Force Attack

Attack steps:

Obtain wallet lists via eth_accounts , eth_coinbase , personal_listAccounts , and unlocked wallets via personal_listWallets .

Attempt password cracking with personal_unlockAccount , parity_testPassword , or parity_exportAccount , then send transactions with eth_sendTransaction .

Upgrade to using personal_sendTransaction to brute‑force and transfer simultaneously.

4. Offline Attack

Even after closing an RPC port, previously exposed wallets can be compromised offline. Attack flow:

Node’s RPC port was open, but the wallet held no ETH.

Attacker monitors eth_getTransactionCount to calculate the nonce and waits for the user to unlock the wallet.

After the user deposits ETH, the attacker broadcasts a pre‑signed transaction.

The transaction is mined and the attacker steals the funds.

5. Zero‑Fee Attack

Typical attacks require a high gas price to get priority. By exploiting a zero‑fee vulnerability, attackers can steal Ether and tokens from nodes that reject low‑fee transactions.

Attack example:

According to Geth source code, transactions with a gas price below the pool’s minimum are discarded (see go-ethereum/core/tx_pool.go and go-ethereum/core/tx_list.go ). By modifying the source to accept zero‑fee transactions, attackers can have them mined and broadcast.

Honeypot Statistics

Our honeypot system collects attacker IPs, wallet addresses, and attack methods. Recent three‑day statistics (Top 10):

Top attacker IPs and wallet addresses are also displayed in accompanying charts.

Defense Recommendations

Restrict RPC port access to internal networks or use firewall rules (e.g., iptables) to block public access.

For nodes that may have been compromised, transfer assets to a new wallet and discard the old one.

Avoid weak passwords for wallet encryption; if used, re‑import the private key with a strong password.

Do not store private keys on the node; use personal_sendTransaction instead of personal_unlockAccount for transactions.