Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ICS20: Refund logic deviation between spec and code #531

Closed
josef-widder opened this issue Nov 25, 2020 · 1 comment
Closed

ICS20: Refund logic deviation between spec and code #531

josef-widder opened this issue Nov 25, 2020 · 1 comment
Labels
app Application layer. from-review Feedback / alterations from specification review. implementation Tracking an external implementation of the spec.

Comments

@josef-widder
Copy link
Contributor

Surfaced from Informal Systems IBC Audit of cosmos-sdk hash cosmos/cosmos-sdk@7e6978a.

In the specification ICS20 recvPacket in the case where there is an error within the bank module (TransferCoins and Mintcoins), an acknowledgement with error code is generated. As a result, at the sending chain the function onAcknowledgePacket is executed with a "non-success" code (assuming "normal" operation with a reliable relayer), which in turn calls refund.

In the implementation, in case of an error, the bank module panics, the transaction is aborted. In case of no other events (e.g., later a packet removes money from some account which results in the original packet going through upon retry without panic), on the sender chain, the function onTimeoutPacket is executed which in turn performs refund.

Problem Scenarios

It seems that the intuition of the logic in the specification is to highlight that an acknowledgement value can be used to control the application. For instance, instead of refunding, one might think of retrying sending.

From a design viewpoint, separating application-level acknowledgement codes from more low level aborts seems advantageous. However, it seems as if the bank module does not provide this fine-grained distinction.

Recommendation

The easiest fix would be to

  • Change specification to align with code.
  • Due to the discrepancy it appears that no acknowledgement with a code different from "result" is currently sent. If this was true,
    the error branch in OnAcknowledgementPacket would be unreachable code. We suggest to check that, and if this is the case, it should be removed from the specification and the code.

However, as ICS 20 also will serve as a template for future IBC applications, a clearer separation between application-level errors and infrastructure roll-backs (and panics) would be advantageous. For that purpose we suggest a more robust implementation of token transfer that does not rely on the bank panicking.
@cwgoes cwgoes transferred this issue from cosmos/ibc Feb 23, 2021
@cwgoes cwgoes transferred this issue from another repository Mar 23, 2021
@mpoke mpoke changed the title ICS 20 - refund logic deviation between spec and code ICS20: Refund logic deviation between spec and code Mar 17, 2022
@mpoke mpoke added app Application layer. implementation Tracking an external implementation of the spec. from-review Feedback / alterations from specification review. labels Mar 17, 2022
@crodriguezvega
Copy link
Contributor

I believe this issue is not relevant anymore, so I will close it for now...

In the implementation, when OnRecvPacket returns an error, then an error acknowledgment is generated, and thus the error branch in OnAcknowledgementPacket is reachable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
app Application layer. from-review Feedback / alterations from specification review. implementation Tracking an external implementation of the spec.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@crodriguezvega @mpoke @josef-widder