-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vm: add two proof verifier to fix the vulnerability in range proof #1121
Conversation
d8b68ec
to
bdfb980
Compare
bdfb980
to
01f5ce7
Compare
Out of curiosity (as an outsider), wouldn't the right package to change be the |
We can not change |
c580e37
to
c5cc1d5
Compare
Description
This PR aims to solve the BSC Bridge exploitation issue.
Rationale
BC to BSC cross-chain communication is based on the light client technique. A smart contract is deployed on BSC to track the consensus state of BC including the appHash (analogous to stateRoot of Ethereum), which is essentially a root of a verifiable key-value store implemented as an AVL tree. Messages coming from BC will be verified against the appHash so their integrity can be guaranteed.
The store allows consecutive key-value pairs to be proved in batch (better in performance than proving each one individually). However its range proof verification logic contains a critical bug that can be exploited to prove membership of arbitrary key-value pairs chosen by the attacker.
https://github.com/cosmos/iavl/blob/6c1300ae54a9bb851e77dbcc4ba4b21832279027/proof_path.go#L70
https://github.com/cosmos/iavl/blob/6c1300ae54a9bb851e77dbcc4ba4b21832279027/proof.go#L79
The root is calculated by hashing repeatedly (just like in Merkle proof) as in the pseudocode below:
If both left and right exist, the digest will ignore the right field. Because of this, if the verification path contains all items with both left and right, the root is unchanged with any arbitrary right values (using the same leaf). This is one factor to be exploited.
This PR in tendermint will introduce
ProofOpVerifier
to disable following ProofOperation:Example
Refer to the UT.
Changes
NA