The default rpc-gas-cap allows unlimited gas usage of eth_call

[Z-Zhijie]

Description

The rpc-gas-cap option allows users to specify the maximum gas limit for transaction simulation RPC methods, such as eth_call. By default, rpc-gas-cap is set to 0, which means there is no gas limit. In the absence of a gas cap, users can specify arbitrarily high gas limits for contract execution simulations, which can potenially exhaust node resources and result in DoS attack.

To mitigate this risk, it may be beneficial to set a non-zero default value for rpc-gas-cap. For reference, other Ethereum clients have set default values for gas caps. Geth: 50M, Nethermind: 100M, Erigon: 50M.

The gas limit of eth_call is determined in the following code:

https://github.com/hyperledger/besu/blob/main/ethereum/core/src/main/java/org/hyperledger/besu/ethereum/transaction/TransactionSimulator.java#L479-L509

If rpc-gas-cap is set to 0, the gas limit of eth_call is set to the user provided gas limit.

Steps to Reproduce

1. Run a testnet with the default rpc-gas-cap value (0).
2. Using eth_call method to call a high gas-consuming contract with high gas limit.

Expected behavior: [What you expect to happen]
The gas limit is capped by a reasonable default value.

Actual behavior: [What actually happens]
With the default configuration, no gas limit is applied to eth_call, allowing execution with an unbounded gas limit.

Frequency: [What percentage of the time does it occur?]
Always

Versions (Add all that apply)

• Software version: 24.12.2