fix: fix vuln demonstrated by #583 #584
Conversation
grepsuzette
changed the title
grepsuzette
changed the title
|
@grepsuzette Thanks for all the links, that's very interesting to dive again into that. Have you noticed that they literally removed the range proof from I came across this while trying to find |
Yes I did.
Range proofs I think were written by Jae; my guess, also I think I read that somewhere, is that they found it scary to modify (because it's a little bit scary; also whoever modifies it must be a kamikaze). Ics23 is more of a community effort, more reassuring for a community. But, if you've seen Dragonberry, it was a vuln in ics23 that could have resulted in all funds in ibc channels being hacked. So there's no silver bullet. Still I think the ics23 iavl is an interesting question. It would take more studying to have an opinion. First of all, this vuln should be studied https://blog.verichains.io/p/vsa-2022-100-tendermint-forging-membership-proof ; does it affect GNO's iavl? But in any case even if we decided to adopt it (ics23), I think it should be in a different PR. |
|
Thanks for the additional details @grepsuzette I agree with your arguments, range proof isn't necessarily something we need to replace for now. About the tendermint vuln, you're right we should definitively study it since it concerns the anyway, LGTM for this PR 👍 |
|
Thanks, appreciate you taking the time to review and talk. |
There was a problem hiding this comment.
Thank you for applying the fix 🙏
This fix is just part of a bigger issue of maintaining a stable iavl implementation.
I don't agree with the way we handled this fix with a panic, but it's a good starting point to discuss how we can make this safer and more reliable
cc @moul
|
Please resolve the conflicts in this PR 🙏 |
Original fix at cosmos/iavl#582, is simply: ``` if len(pin.Left) > 0 && len(pin.Right) > 0 { return nil, errors.New("both left and right child hashes are set") } ``` Our iavl functions however don't return errors. Proposing to use `panic()` instead, as it does in other parts of this file. More about this 2022-10-07 vuln: https://medium.com/@Beosin_com/how-did-the-bnb-chain-exploiter-pass-iavl-proof-verification-an-in-depth-analysis-by-beosin-c925b77bc13e https://twitter.com/buchmanster/status/1578879225574350848
Won't compile yet. Is a test of the iavl proof forgery as exploited during BSC 2022-10-07 hack. Notes: 1. proof_forgery_test.go comes from cosmos/iavl#582 2. gist showing the same vuln at https://gist.github.com/samczsun/8635f49fac0ec66a5a61080835cae3db The test is not going to compile as is, it needs some work.
…lnerable)
output follows
--- FAIL: TestProofForgery (0.00s)
proof_forgery_test.go:69:
Error Trace: /home/bob/opt/src/COINS/Cosmos/GNO/gno/pkgs/iavl/proof_forgery_test.go:69
Error: Should be empty, but was [73 209 82 89 222 179 131 99 170 27 180 58 80 20 211 (...) 94 7 254 45 183 20 244]
Test: TestProofForgery
Messages: roothash must be empty if both left and right are set
FAIL
FAIL command-line-arguments 0.003s
FAIL
and fails otherwise (fails when vuln not fixed) It should now be ok for review.
grepsuzette
force-pushed
the
fix-failing-test-pr584
branch
from
817171d
to
f65e6ce
Compare
applying @zikovicmilos suggestion
|
@zivkovicmilos done |
|
I don't understand why there's one cancelled check. |
|
@moul shall we review/merge this? thanks! |
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## master #584 +/- ##
==========================================
+ Coverage 46.98% 47.04% +0.05%
==========================================
Files 365 365
Lines 61159 61161 +2
==========================================
+ Hits 28737 28771 +34
+ Misses 30062 30036 -26
+ Partials 2360 2354 -6
Flags with carried forward coverage won't be shown. Click here to find out more.
☔ View full report in Codecov by Sentry. |
This is a fix for the 2022-10-07 Binance vuln demonstrated in gnolang#583. **Original fix** was simply (cosmos/iavl#582): ``` if len(pin.Left) > 0 && len(pin.Right) > 0 { return nil, errors.New("both left and right child hashes are set") } ``` Our iavl functions however don't return errors. Proposing to use `panic()` instead, as it does in other parts of this file. --- More about the vuln, for comments and archival: * https://twitter.com/buchmanster/status/1578879225574350848 * https://medium.com/@Beosin_com/how-did-the-bnb-chain-exploiter-pass-iavl-proof-verification-an-in-depth-analysis-by-beosin-c925b77bc13e --------- Co-authored-by: grepsuzette <grepsuzette@users.noreply.github.com> Co-authored-by: Antonio Navarro Perez <antnavper@gmail.com> Co-authored-by: Manfred Touron <94029+moul@users.noreply.github.com>
This is a fix for the 2022-10-07 Binance vuln demonstrated in #583.
Original fix was simply (cosmos/iavl#582):
Our iavl functions however don't return errors. Proposing to use
panic()instead, as it does in other parts of this file.More about the vuln, for comments and archival: