search

dymensionxyz / roller

CLI tool for deploying Dymension RollApps
72 stars 64 forks source link

Keyring backend `test` makes exposed RollApps's accounts got drained #281

Closed VictorTrustyDev closed 1 year ago

VictorTrustyDev commented 1 year ago

Ubuntu 22.04 LTS x86_64

Roller 0.1.2 RollApp EVM I believe 0.4.0-rc2

Steps to reproduce it

Setup a RollApp EVM and expose port 8545 (ETH Json RPC) public.

Result

Wait few days or few weeks. And finally one day, balance of sequencer account got drained, all balance transferred to 0x071aad74a52f76aec4a4b4fecfc910dbc8fe03f4 (a famous account) This effects all accounts stored under the keyring test.

Notes

I already mentioned about this in dymensionxyz/roller#256

VictorTrustyDev commented 1 year ago

Manual fix:

  1. Stop roller (stop chain)
  2. Export sequencer into file (key rollapp_sequencer) 
    rollapp_evm --home ~/.roller/rollapp/ --keyring-backend test keys export rollapp_sequencer > ~/sequencer.key
  3. Import sequencer back with keyring-backend changed to os 
    rollapp_evm --home ~/.roller/rollapp/ --keyring-backend os keys import rollapp_sequencer ~/sequencer.key
  4. Open client.toml and change keyring-backend value to os. The file located at ~/.roller/rollapp/config/client.toml
  5. Restart chain/roller
omritoptix commented 1 year ago

thank you @VictorTrustyDev. We're looking into this.

mtsitrin commented 1 year ago

Hi @VictorTrustyDev Have changed some EVM related configuration or is it happened on the default setup?

mtsitrin commented 1 year ago

Issue reproducible:

> geth attach http://localhost:8545   

Welcome to the Geth JavaScript console!

instance: Version dev ()
Compiled at  using Go go1.20.5 (arm64)
coinbase: 0x111111ae71ad1dDfC6692AfbcE88CC75D6B12dEC
at block: 139 (Mon Jul 17 2023 12:55:34 GMT+0300 (IDT))
 modules: eth:1.0 net:1.0 rpc:1.0 web3:1.0

To exit, press ctrl-d or type exit
> eth.sendTransaction({from:eth.coinbase, to:'0xF6716284E0AFBFBF7760C741E6AFA04F184B4AB9', value:"0x9184e72a", gas:"0x76c0", gasPrice:1})

"0x11705507cd69b44daeb8879c8eaa967a84d0b99190ff7f720b88c5d1f41d5a41"

we can see that connecting to the JSON-RPC, we can make transactions as the genesis account

VictorTrustyDev commented 1 year ago

This effects all accounts managed under keyring-backend=test, the genesis account is one of them. You can try add another key:

rollapp_evm --keyring-backend test keys add xyz

Transfer some coin to them and you will see, you are able to take it back.

VictorTrustyDev commented 1 year ago

Hi @VictorTrustyDev Have changed some EVM related configuration or is it happened on the default setup?

Default, as I mentioned, this due to default setup with keyring-backend = test