Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Game of Zones Phase 3 Deception/Attacks #437

Closed
zmanian opened this issue Jun 16, 2020 · 5 comments
Closed

Game of Zones Phase 3 Deception/Attacks #437

zmanian opened this issue Jun 16, 2020 · 5 comments

Comments

@zmanian
Copy link
Member

zmanian commented Jun 16, 2020
edited
Loading

Iris
https://github.com/irisnet/goz/tree/master/phase-3

P2P validator
https://economy.p2p.org/cosmos-game-of-zones-phase-3-a-deceptive-rootchain/

Vitwit
https://medium.com/regen-network/goz-phase-3-invalidate-real-tokens-by-minting-fake-tokens-275bb91b7678
@cwgoes
Copy link
Contributor

cwgoes commented Jun 17, 2020
edited
Loading

Iris's bug (which was a spec mistake) has been fixed in cosmos/cosmos-sdk#6337 (SDK-side) and a903b09 (spec-side) already.

P2P validator's deceptive root-chain is a known result in the intentionally chosen IBC security model. Users who transfer tokens to a chain do so at their own risk - if that chain incorrectly implements ICS 20, they may not be able to transfer their tokens back. We should be very clear about this in communication and documentation, but I don't think this requires any code changes.

Vitwit/Regen's post also does not break the security model per se, but it does seem to indicate a bug, we should try to reproduce that - @AdityaSripal or @fedekunze do you have any ideas? Should we try to write an SDK test-case?

Anything I missed?

@ethanfrey
Copy link
Contributor

ethanfrey commented Jun 17, 2020
edited
Loading

VitWit's attack is based on the fact that native tokens and ibc-remote tokens are handled the same by the bank module. There is no differentiator other than a naming convention.

A larger change, but maybe useful, would be to store a "ibc" flag on the token somewhere, which is checked. So it is no longer a string but a struct. This is probably too breaking everywhere.

A simpler change would simply to limit the valid characters in any tokens that are not minted by IBC. Only IBC module can mint tokens that have a / and, in fact, all tokens minted by it must contain at least one /. And we get:

func IsIBCToken(denom string) bool {
    return strings.Contains(denom, "/")
}

It seems that [a-z0-9/] are consistently valid chars in token denoms. I wonder if it is possible to add another case-dependent check (for ibc/non-ibc tokens)

@cwgoes
Copy link
Contributor

cwgoes commented Jun 18, 2020

VitWit's attack is based on the fact that native tokens and ibc-remote tokens are handled the same by the bank module. There is no differentiator other than a naming convention.

That's right, but I still don't understand why they can't send back the amount of tokens originally sent from the Hub - do you know why that was the case?

A simpler change would simply to limit the valid characters in any tokens that are not minted by IBC. Only IBC module can mint tokens that have a / and, in fact, all tokens minted by it must contain at least one /.

This is probably a prudent idea.

@cwgoes
Copy link
Contributor

cwgoes commented Nov 30, 2020

This has since been fixed; IBC-module-generated tokens have an IBC-specific denomination.

@cwgoes cwgoes closed this as completed Nov 30, 2020
@AdityaSripal
Copy link
Member

^Note: This is true assuming that chains do not allow any other module/user to mint tokens with the ibc prefix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zmanian @ethanfrey @AdityaSripal @cwgoes