-
Notifications
You must be signed in to change notification settings - Fork 2.7k
How to prevent a Call to be dispatched indirectly #4915
Comments
While you can use a |
Please let me clarify this. I am presenting one issue: It is possible to bypass validation logic in For example, contracts pallet checks the transaction cannot exceed block gas limit in validate. The check won't be performed if the call is dispatched by substrate/frame/contracts/src/lib.rs Line 1125 in 7d544ef
This basically prevents anyone to enforce security related logics in If fact, I view this could cause potential security issues because bypassable validation logic just doesn't make sense. A useful but insecure tool is dangerous. A kind of related issue is charge tx fee is performed in Currently,
To workaround this issue, I want a way to detect if a oracle call is dispatched indirectly and reject / slash it. This ensures the call that bypass Here are some background contexts of why I am seeing this issue is a blocker for us. We are building an oracle module, and here are some high level goals: open-web3-stack/open-runtime-module-library#80 We want oracle operators be able to submit feed value tx without charging them fee (FreeOeprational). But of course this could be a DOS vector that needs some careful considerations. So my solution is:
Please provide feedbacks if you can see a better ways to achieve our goal. |
Calls can be dispatch indirectly by for example
utility.as_sub
. But for indirect dispatched calls, ourSignedExtension
will not be able to detect those calls and perform additional validations before there enters tx pools.For example, in our oracle module, only whitelisted users are allowed to submit
oracle.feed_value
and the tx fee is configured to be zero. We also want to ensure each whitelisted user can only submit up to oneoracle.feed_value
per block (so they cannot DOS the network permanently).Because those tx are free, we need to ensure invalid txs are rejected which can be enforced by our
CheckOperator
signed extension.But in our implementation, we are only able to handle calls that made to
oracle
module and validate them. If attacker useutility.as_sub
to dispatch the call indirectly, the validate logic will be bypassed completely.It is possible to modify our implementation to look for Calls from
utility
pallet, but it just does not scales and not a good solution.The quick fix to prevent this issue is to be able to detect if a dispatchable is dispatched indirectly, and panic if it is, which will prevent the trouble tx to be added to tx pool.
On the other hand, many dispatchables are designed to be dispatched indirectly only (e.g.
system.set_code
). So we may want a better design to handle those cases:system.set_code
)The work on our side: open-web3-stack/open-runtime-module-library#86
The text was updated successfully, but these errors were encountered: