Closed Reinis-FRP closed 11 months ago
Even after implementing [UMA-1608](https://linear.app/uma/issue/UMA-1608/bug-verification-bot-does-not-defend-against-replay-attacks) , this does not fully protect against replay attacks where the attacker submits second proposal with changed casing for CIDv1 in explanation. The bot would think its a different Snapshot proposal while the IPFS gateway would still resolve the proposal with alternative casing. We should fix this by performing additional encoding/decoding of explanation to detect CID version and allow different casing when its CIDv1
This changes look good to me!
Personally I think having tests in this project makes a lot of sense and worth the exploration! Could this be used to mock ipfs? https://github.com/httptoolkit/mockipfs
Agree, it would be worth adding tests, but the challenging part is we need to mock both IPFS and GraphQL responses. mockipfs might be useful if we did access IPFS nodes directly, but here we use gateway provider and access contents with a simple fetch (without ipfs client)
Motivation
oSnap bot replay protection does not fully protect against replay attacks where the attacker submits second proposal with changed casing for CIDv1 in explanation. The bot would think its a different Snapshot proposal while the IPFS gateway would still resolve the proposal with alternative casing.
Summary
Adds IPFS hash validation to oSnap verification logic.
Details
Uses multiformats library trying to parse explanation as CID. This parses only lower case CIDv1 strings, so any attack trying to pass upper casing would be detected.
Testing
Check a box to describe how you tested these changes and list the steps for reviewers to test.
Writing unit tests would require implementing mocked servers for ipfs content and serving graphql queries. Instead, this was tested as in production on Goerli:
NODE_URL_5
variable to .env and started the proposal verification bot on Goerli with 30 second polling:Issue(s)
Fixes https://linear.app/uma/issue/UMA-1640/osnap-bot-should-handle-ipfs-cid-casing