Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The docs mention that modules can be untrusted, but they are currently must be trusted #1249

Closed
3 tasks
plafer opened this issue Apr 12, 2022 · 2 comments
Closed
3 tasks

Comments

@plafer
Copy link

plafer commented Apr 12, 2022

Summary of Bug

The docs state:

The goal of the Cosmos SDK is to allow developers to easily create custom blockchains from scratch that can natively interoperate with other blockchains. We envision the SDK as the npm-like framework to build secure blockchain applications on top of Tendermint. SDK-based blockchains are built out of composable modules, most of which are open source and readily available for any developers to use. Anyone can create a module for the Cosmos-SDK, and integrating already-built modules is as simple as importing them into your blockchain application. What's more, the Cosmos SDK is a capabilities-based system, which allows developers to better reason about the security of interactions between modules.

And the object-capability model docs:

When thinking about security, it is good to start with a specific threat model. Our threat model is the following:

We assume that a thriving ecosystem of Cosmos-SDK modules that are easy to compose into a blockchain application will contain faulty or malicious modules.

The Cosmos SDK is designed to address this threat by being the foundation of an object capability system.

However, this is not currently the case. @colin-axner:

Access to module internal storage is gated by the SDK which does not have module capability support. [...] Atm we have high trust in the modules deployed so it isn't a high concern (any untrusted module could simply drain the bank keeper).

I also have concerns about how the current object-capability model is implemented if we assume untrusted modules, as outlined in this issue comment (it was written with Rust in mind, but also applies to go due to the unsafe package).

Version

v3.0.0


For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate contributors tagged/assigned
@crodriguezvega
Copy link
Contributor

Thanks @plafer for opening this issue and raising your concerns.

But the docs that you link are from the Cosmos SDK, not ibc-go, so it would be better to open this issue in their repository.

@plafer
Copy link
Author

plafer commented Apr 13, 2022

Oh wow, I must have been distracted... Sorry about that!

@plafer plafer closed this as completed Apr 13, 2022
CosmosCar pushed a commit to caelus-labs/ibc-go that referenced this issue Nov 6, 2023
<!--
Please read and fill out this form before submitting your PR.

Please make sure you have reviewed our contributors guide before
submitting your
first PR.
-->

## Overview
Closes: cosmos#1249 

Also, fixes `markdown-lint` CI checks.

<!-- 
Please provide an explanation of the PR, including the appropriate
context,
background, goal, and rationale. If there is an issue with this
information,
please provide a tl;dr and link the issue. 
-->

## Checklist

<!-- 
Please complete the checklist to ensure that the PR is ready to be
reviewed.

IMPORTANT:
PRs should be left in Draft until the below checklist is completed.
-->

- [ ] New and updated code has appropriate documentation
- [x] New and updated code has new and/or updated testing
- [x] Required CI checks are passing
- [ ] Visual proof for any user facing features like CLI or
documentation updates
- [x] Linked issues closed with keywords

Co-authored-by: Ganesha Upadhyaya <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants