crodriguezvega
commented
4 months ago Thank you for reporting this issue, @faddat. We will discuss it internally with the utmost urgency and will try to come back to you as soon as possible.
Closed faddat closed 4 months ago
crodriguezvega
commented
4 months ago Thank you for reporting this issue, @faddat. We will discuss it internally with the utmost urgency and will try to come back to you as soon as possible.
faddat
commented
4 months ago The interchain foundation is abusive to reporters of security issues and ignores serious issues to the detriment of the entire cosmos ecosystem.
faddat
commented
4 months ago Doesn't seem to happen with lots of smalls.
Maybe.
Not sure.
Been working this mainly solo since Sept 21 2023 when I reported similar but different issues to the interchain foundations approved security channels.
I had conversations with the following groups about this:
Here are my full documents provided to the interchain foundation at that time:
Due to my report of security issues I incurred very significant time and reputational costs. The reputational costs were due to targeted abuse and harassment from interchain foundation teams.
I have kept detailed records of this.
faddat
commented
4 months ago It really actually just looks like a deniable on off switch, preserved with social techniques.
Easiest way to explain events here.
DimitrisJim
commented
4 months ago I wont speak on the non-technical aspect of things since I don't involve myself with them on purpose. :sweat_smile:
On the tx size front, we did add limits on all relevant fields after you brought it up afaik; I've been trying to keep up with limit lengths on newly introduced ones too. This is the most that we can currently do on the IBC-go side of things, as far as I've understood.
Some of the field lengths could possibly be even further reduced but I still think we're solving the problem on the wrong layer of things.
faddat
commented
4 months ago @DimitrisJim yeah I understand about the non-technical stuff, but I do want you to know that I am reporting those items as well.
So you recognize that these oversized transactions can turn off any active IBC Channel?
If yes, that's a really severe issue and needs to be communicated.
...as that's a technical thing, but also a user facing thing. Users don't currently expect that someone can slam the door in their face using IBC
From what I can tell, that's possible, and dramatically changes how users should think of IBC (from always available to not available when you need it most)
If by the wrong layer of things, you mean consensus, that is possible, and we're going to need to put evidence on that. My suggestion is that you get a hardhat setup going.
I also recognize that it's completely possible that it could be in other layers of the stack yet unknown.
To be clear I do agree with your pov here, but also must firmly insist that there are issues with security process at ICF.
Icf has had the code and docs and videos for this for over eight months.
Icf funded teams and individuals have spent more time discussing the reporter than the issue and that's negligent when The issue is as severe as this one.
faddat
commented
4 months ago For reference, there are 180,000 packets on umee waiting to get to cosmoshub
faddat
commented
4 months ago ... osmo to hub
faddat
commented
4 months ago I'm really trying to also take care of the really grave security issues in the reporting process in Cosmos. This was a total failure, 0 out of 10.
And I want to make really clear that it absolutely was not only Jack talking about me instead of technology, it was our illustrious former Foundation president Bucky as well
This raises very serious questions about priorities in Cosmos and questions about the viability of Cosmos and the interchain Foundation
faddat
commented
4 months ago I hope that this issue serves as a warning to people in Cosmos that you can bring up an issue in an accurate way, and see every ICF funded team discuss you, instead of the issue.
Information that can be gleaned from a block explorer is not about any persons personal style.
I don't know what layer of the stack this issue is at.
Icf funds went into discussing me, not problems.
There's no place to report stuff like this, because well, when I reported this stuff, the organizational priority of the interchain foundation execs was on quashing reports.
The screenshots are from eight months ago.
crodriguezvega
commented
4 months ago We discussed yesterday and we decided to backport https://github.com/cosmos/ibc-go/pull/4992 to v7 as a mitigation for this issue, and we will release v7.6.0 this week. Thank you @faddat for raising this issue.
crodriguezvega
commented
4 months ago We have released v7.6.0 with the back port of #4992.
IMPORTANT: Prior to opening a bug report, check if it affects one of the core modules and if its elegible for a bug bounty on
SECURITY.md. Bugs that are not submitted through the appropriate channels won't receive any bounty.Heh, if you report through "proper" channels, you experience:
So there's genuinely no sense in that because in cosmos bug reporters are the bug to be squashed.
Appreciation for the osmosis team for not being like that.
Summary of Bug
Ibc channels can be stopped by overwhelming them with transactions. Currently tested only on ibc 1-7 with fully compliant 725kb transactions.
Test tooling is available at
GitHub.com/somatic-labs/hardhat
Replication of this issue with that tooling can be accomplished in minutes.
Expected Behaviour
Teams build with IBC sometimes with the expectation that their chains are able to make time-sensitive transactions.
In most cases this is true, however when there are lots of big transactions, the channel ceases to be useful.
Version
1-7 have been tested but I suspect this is universal. For v8 just reduce field lengths to their maximums and make more transactions.
Steps to Reproduce
....and the IBC channel of your choice will cease working correctly for the duration of your tx stream plus several hours.
For Admin Use