-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hermes: Make sure hermes cannot be slowed down by packets to fake chains #1038
Comments
Thanks for the clarification, I understood something different in our discussion. So I think we can detect this and drop the send packet event early. In step 4 we find the channel end on real I think this should work as Here is an example of the channel, connection and client IDs on the two akash chains
Note also that the client updates will not fail in this case as the headers are valid hub headers for a client ID that exists on the real |
I didn't know channel-id was unique. Is this something implementation-related, or something specified in the IBC spec. If it's the former, maybe using client-id would be more robust? In any case, the general idea of what you proposed @ancazamfir makes sense. That's what we've implemented in our own backend to verify IBC paths. |
It is in the ICS24 IBC spec. There is a table that lists the keys that identify the different objects (e.g. clientState, connectionEnd, channelEnd). We will add the check I mentioned above and will also look into doing the similar check at connectionEnd and clientState level to see if they add to the security. My concern is that these queries take time. Need to check if we can make use of the little information we cache, otherwise we would have to do more queries for each event/ packet or make a small design change. |
BTW, there is a gRPC query implemented in SDK that, given a channel and port ID, retrieves the client data (includes the client ID and state). So it's faster if you don't need connection information. |
I can confirm this is a problem. The conditions I recreated are not exactly the same as in the above description of this issue, but suffice to say that Hermes can become confused and relay packets to a different chain that the original chain that was intended to receive them,
As can be seen in the last log line I pasted above, the destination chain, fake ibc-1, rejects the packet on grounds of mismatching source channel (which is the correct behavior to be expected from a chain). The actual destination was another chain.. The command |
…te` (#1066) * Countermeasure that fixes #1038 * Tentative fix for #1064 * Better fix for the impersonation problem * Better log message. Handle (TryOpen, Init) case * Changelog * Better error, added doc comment, less clones. * Clarify the intent of method do_chan_open_ack_confirm_step * Removed some unnecessary clones * Moved check_channel_counterparty to chain::counterparty * Fully specified error in case of failure in check_channel_counterparty * Used port+channel instead of socket * Fix small typo in error variant * Removed chan counterparty verification in ft-transfer. Co-authored-by: Anca Zamfir <[email protected]>
…te` (informalsystems#1066) * Countermeasure that fixes informalsystems#1038 * Tentative fix for informalsystems#1064 * Better fix for the impersonation problem * Better log message. Handle (TryOpen, Init) case * Changelog * Better error, added doc comment, less clones. * Clarify the intent of method do_chan_open_ack_confirm_step * Removed some unnecessary clones * Moved check_channel_counterparty to chain::counterparty * Fully specified error in case of failure in check_channel_counterparty * Used port+channel instead of socket * Fix small typo in error variant * Removed chan counterparty verification in ft-transfer. Co-authored-by: Anca Zamfir <[email protected]>
If I'm not mistaken, when Hermes catches an IBC transfer to relay, it does the following:
The (potential) issue is that chain-ids are not unique, meaning it is possible for someone to create an IBC connection with a chain-id that is exactly the same as the chain-id of a "real chain". This could potentially be a problem is hermes retries multiple times if header verification fails. Consider the following scenario:
client-1
and the chain-id isakash-1
.akash-1
, only the client-id is different,client-2
.akash-1
.My questions is: do we have a problem? Can this slow down Hermes significantly?
cc @ancazamfir @romac @andynog
The text was updated successfully, but these errors were encountered: