Code susceptible to DoS attacks.

[carlino3]

Hello, i noticed a problem with this code.

As Blockchain API documentation says, if you reach the gap limit with 20 (or whatever the gap limit is) unused addresses, the API will refuse to give you new addresses unless you increase the gap limit or change your xpub.

This can be abused by malicious users by requesting "/create.php?invoice_id=XXX" enough times to reach the gap limit and let the payment system unavailable until the administrator fixes the issue.

I understand that this is intended to be a demonstration code and not for production, but i see many people using this code as is and i want to let them know.

[ddbb2017]

Yeah, you have a valid point. I'm curious did you find a solution?

Since most people will display that BTC payment QR code (with invoice) on their website, it's quite possible that the script will go over the 20 invoice limit. So what's then? Additionally what if I generate more than 20 invoices before they are paid?

I was thinking myself how to overcome it. And one solution could be this. If they allow multiple payments on to the same Bitcoin address, then you can rotate those addresses once a day or once a week (via the cron job script, for instance.) In that case each invoice should have some random UUID attached to it. The only issue is that the person paying the bill must remember to include that UUID in the details for your callback to process it correctly. And there may be a problem with the confirmations count tracking. So I'm wondering if there are other solutions to this problem (because that 20 limit clearly doesn't cut it.)