You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The goal of the Cosmos SDK is to allow developers to easily create custom blockchains from scratch that can natively interoperate with other blockchains. We envision the SDK as the npm-like framework to build secure blockchain applications on top of Tendermint. SDK-based blockchains are built out of composable modules, most of which are open source and readily available for any developers to use. Anyone can create a module for the Cosmos-SDK, and integrating already-built modules is as simple as importing them into your blockchain application. What's more, the Cosmos SDK is a capabilities-based system, which allows developers to better reason about the security of interactions between modules.
When thinking about security, it is good to start with a specific threat model. Our threat model is the following:
We assume that a thriving ecosystem of Cosmos-SDK modules that are easy to compose into a blockchain application will contain faulty or malicious modules.
The Cosmos SDK is designed to address this threat by being the foundation of an object capability system.
However, this is not currently the case. @colin-axner:
Access to module internal storage is gated by the SDK which does not have module capability support. [...] Atm we have high trust in the modules deployed so it isn't a high concern (any untrusted module could simply drain the bank keeper).
I also have concerns about how the current object-capability model is implemented if we assume untrusted modules, as outlined in this issue comment (it was written with Rust in mind, but also applies to go due to the unsafe package).
Version
v3.0.0
For Admin Use
Not duplicate issue
Appropriate labels applied
Appropriate contributors tagged/assigned
The text was updated successfully, but these errors were encountered:
<!--
Please read and fill out this form before submitting your PR.
Please make sure you have reviewed our contributors guide before
submitting your
first PR.
-->
## Overview
Closes: cosmos#1249
Also, fixes `markdown-lint` CI checks.
<!--
Please provide an explanation of the PR, including the appropriate
context,
background, goal, and rationale. If there is an issue with this
information,
please provide a tl;dr and link the issue.
-->
## Checklist
<!--
Please complete the checklist to ensure that the PR is ready to be
reviewed.
IMPORTANT:
PRs should be left in Draft until the below checklist is completed.
-->
- [ ] New and updated code has appropriate documentation
- [x] New and updated code has new and/or updated testing
- [x] Required CI checks are passing
- [ ] Visual proof for any user facing features like CLI or
documentation updates
- [x] Linked issues closed with keywords
Co-authored-by: Ganesha Upadhyaya <[email protected]>
Summary of Bug
The docs state:
And the object-capability model docs:
However, this is not currently the case. @colin-axner:
I also have concerns about how the current object-capability model is implemented if we assume untrusted modules, as outlined in this issue comment (it was written with Rust in mind, but also applies to go due to the unsafe package).
Version
v3.0.0
For Admin Use
The text was updated successfully, but these errors were encountered: