Closed b4d2 closed 2 years ago
Ok, so a 200MB string is created by the deploy script, then sent through various Zoe APIs until a vat is terminated. Things I plan to investigate:
v11
is really vat-zoe, not the newly-created contract vat. (v11 is probably vat-zoe)
Wen we figure out fees, it sounds like this message should have cost too much to deliver, which would be an extra layer of protection on top of whatever else we come up with.
Two more general questions:
zoe.install
to throw an exception with "invalid token name: too large"?In today's discussion, we figured that a 1MB hard-coded limit would be good, and means that we're confident that a single 1MB message won't crash anything. And we'll state that we expect all messages to be less than 10kB in size, so we'll apply a nominal fee to anything smaller than that, and grow it (possibly super-linearly) beyond that point. The intention is that the fee starts to become painfully expensive well before we get to the hard-coded limit. All of these limits and fee curves should be configurable through governance so we can change them later without a deep upgrade.
Once the #3269 bundle-install pathway is done, contract code will no longer be carried in messages (either into the chain or between vats, although the bundle will still be in the response to the D(bundleCap).getBundle()
device-node invocation syscall that ZCF does). That will remove the most pressing use case for 2MB+ messages. We don't really want large computation to be performed on-chain (so we don't want to support a use-case of e.g. processing large bitmaps), but we can still imagine a single operation that interacts with e.g. hundreds of other objects, and which might need to point at all of them, so 10kB may not be enough. We don't yet know where to draw the line. We currently feel pretty comfortable allowing small messages, and pretty nervous about allowing large messages, but as we discover new attacks and use cases, those feelings will change. Having a variable fee will apply an incentive to express our anti-desire for large computation, and hopefully the hard limit will provide some protection against a useful number of attacks.
Describe the bug
By creating a zcfMint with an extremely large token name, after installing the Dapp in the wallet, the zoe vat crashes
To Reproduce
agoric deploy ./contract/deploy.js ./api/deploy.js
) contract code will install on zoe,Deploy Output
Expected behavior
I should not be able to crash the zoe vat from a malicious Dapp
Additional notes
This may result in a cascading failure as well, as the Token name is utilized by multiple services downstream from zoe
Platform Environment
git describe --tags --always
)72cc8d6bcf428596653593708959446fb0a29596
ref #4264