search

vegaprotocol / vegatools

A go command line utility providing a bunch of tools to use with a Vega network
MIT License
3 stars 4 forks source link

fix(deps): update module code.vegaprotocol.io/vega to v0.71.6 [security] - autoclosed #287

Closed renovate[bot] closed 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Type Update Change
code.vegaprotocol.io/vega require minor v0.70.1-0.20230419150238-cdfb016b9196 -> v0.71.6

GitHub Vulnerability Alerts

CVE-2023-35163

A vulnerability exists that allows a malicious validator to trick the Vega network into re-processing past Ethereum events from Vega’s Ethereum bridge. For example, a deposit to the collateral bridge for 100USDT that credits a party’s general account on Vega, can be re-processed 50 times resulting in 5000USDT in that party’s general account. This is without depositing any more than the original 100USDT on the bridge.

Despite this exploit requiring access to a validator's Vega key, a validator key can be obtained at the small cost of 3000VEGA, the amount needed to announce a new node onto the network.

The steps to carry out this exploit are as follows:

  1. Cause an Ethereum event on one of the bridge contracts e.g a deposit to the collateral bridge, or the staking bridge
  2. This will result in the Ethereum-event-forwarder of each node to submit a ChainEvent transaction to the Vega network corresponding to that event
  3. Scrape the valid chain event transaction from the Tendermint block data using a node’s Tendermint API
  4. Change the value of the txId field of the ChainEvent to any valid, but different, value
  5. Bundle the tweaked ChainEvent into a new transaction, sign it with a validator key and resubmit to the Vega network
  6. The fraudulent ChainEvent will be processed by Vega as if it were a new ChainEvent even though it did not occur on Ethereum

The key to this exploit is in step 4. The txId field of the ChainEvent is used when checking for ChainEvent resubmission, but NOT during the subsequent on-chain verification of the event. Therefore changing the txId of an existing ChainEvent is enough to by-pass the duplication check and for it to still be verified as a real event.

Impact

The impact of this exploit is dependent on the ChainEvent being manipulated. The below table describes each one:

Chain Event Allows Consequence
Deposit Generation of unlimited funds of any asset Withdrawal of all assets
Stake Deposit Delegate unlimited Vega to a single node A single node has controlling amount of voting power
Stake Removed Force a Validator node to drop below self-stake requirements Prevents reward payouts
Bridge Stop The Vega network to think the bridge is stopped Prevent anyone from withdrawing funds
Signer Removed The Vega network to think a validator nodes is not on the multisig contract Prevent reward payouts

Patches

v0.71.6

Workarounds

No work around known, however there are mitigations in place should this vulnerability be exploited:

References

N/A

Release Notes

vegaprotocol/vega (code.vegaprotocol.io/vega) ### [`v0.71.6`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.71.6) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.71.5+datanodefix...v0.71.6) Release version 0.71.6 *2023-06-20* Fixes: - [8402](https://togithub.com/vegaprotocol/vega/issues/8402) - Avoid division by 0 in market activity tracker - [8414](https://togithub.com/vegaprotocol/vega/issues/8414) - Fix corruption on order subscription - [8412](https://togithub.com/vegaprotocol/vega/issues/8412) - Fix non deterministic ordering of events emitted on auto delegation - [8313](https://togithub.com/vegaprotocol/vega/issues/8313) - Assure liquidation price estimate works with 0 open volume - [8226](https://togithub.com/vegaprotocol/vega/issues/8226) - Fix auto initialise failure when initialising empty node - [8353](https://togithub.com/vegaprotocol/vega/issues/8353) - Improve ledger entry `CSV` export. - [8358](https://togithub.com/vegaprotocol/vega/issues/8358) - Fix replay protection - [8451](https://togithub.com/vegaprotocol/vega/issues/8451) - Fix invalid auction duration for new market proposals. - [8471](https://togithub.com/vegaprotocol/vega/issues/8471) - Restore network parameters from snapshot without validation to avoid order dependence. - [GHSA-8rc9-vxjh-qjf2](https://togithub.com/vegaprotocol/vega/security/advisories/GHSA-8rc9-vxjh-qjf2) - Validators able to submit duplicate transactions ### [`v0.71.5`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.71.5) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.71.4+fix...v0.71.5+datanodefix) Release version 0.71.5 *2023-05-26* Fixes: - [8385](https://togithub.com/vegaprotocol/vega/issues/8385) - Add code patches to swap out addresses of `ETH` bridges ### [`v0.71.4`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.71.4) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.71.3...v0.71.4+fix) Release version 0.71.4 *2023-05-03* Fixes: - [8251](https://togithub.com/vegaprotocol/vega/issues/8251) - Fix bug in expired orders optimisation resulting in non deterministic order sequence numbers ### [`v0.71.3`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.71.3) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.71.2...v0.71.3) Release version 0.71.3 *2023-05-02* Fixes: - [8231](https://togithub.com/vegaprotocol/vega/issues/8231) - Fix `GetNetworkHistoryStatus` ### [`v0.71.2`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.71.2) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.71.1...v0.71.2) Release version 0.71.2 *2023-04-25* Fixes: - [8206](https://togithub.com/vegaprotocol/vega/issues/8206) - Add number of decimal places to oracle spec. ### [`v0.71.1`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.71.1) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.71.0...v0.71.1) Release version 0.71.1 *2023-04-24* Fixes: - [8208](https://togithub.com/vegaprotocol/vega/issues/8208) - Fix block explorer API documentation - [8203](https://togithub.com/vegaprotocol/vega/issues/8203) - Fix `assetId` parsing for Ledger entries export to `CSV` file. ### [`v0.71.0`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.71.0) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.70.4...v0.71.0) Release version 0.71.0 *2023-04-21* Breaking changes: - [7859](https://togithub.com/vegaprotocol/vega/issues/7859) - Fix Ledger entries exporting `CSV` file. - [8064](https://togithub.com/vegaprotocol/vega/issues/8064) - Remove `websocket` for rewards - [8093](https://togithub.com/vegaprotocol/vega/issues/8093) - Remove offset pagination - [8111](https://togithub.com/vegaprotocol/vega/issues/8111) - Unify payload between `admin.update_network` and `admin.describe_network` endpoint in the wallet API. - [7916](https://togithub.com/vegaprotocol/vega/issues/7916) - Deprecated `TradesConnection GraphQL sub-queries` in favour of an `un-nested` Trades query with a filter parameter. This requires a change in the underlying `gRPC` request message. Trades subscription takes a `TradesSubscriptionFilter` that allows multiple `MarketID` and `PartyID` filters to be specified. - [8143](https://togithub.com/vegaprotocol/vega/issues/8143) - Merge GraphQL and REST servers - [8111](https://togithub.com/vegaprotocol/vega/issues/8111) - Reduce passphrase requests for admin endpoints by introducing `admin.unlock_wallet` and removing the `passphrase` field from wallet-related endpoints. Improvements: - [8030](https://togithub.com/vegaprotocol/vega/issues/8030) - Add `API` for fetching `CSV` data from network history. - [7943](https://togithub.com/vegaprotocol/vega/issues/7943) - Add version to network file to be future-proof. - [7759](https://togithub.com/vegaprotocol/vega/issues/7759) - Support for rolling back data node to a previous network history segment - [8131](https://togithub.com/vegaprotocol/vega/issues/8131) - Add reset all command to data node and remove wipe on start up flags - [7505](https://togithub.com/vegaprotocol/vega/issues/7505) - `Datanode` batcher statistics - [8045](https://togithub.com/vegaprotocol/vega/issues/8045) - Fix bug in handling internal sources data. - [7843](https://togithub.com/vegaprotocol/vega/issues/7843) - Report partial batch market instruction processing failure - [7990](https://togithub.com/vegaprotocol/vega/issues/7990) - Remove reference to `postgres` in the `protobuf` documentation comments - [7992](https://togithub.com/vegaprotocol/vega/issues/7992) - Improve Candles related `APIs` - [7986](https://togithub.com/vegaprotocol/vega/issues/7986) - Remove cross `protobuf` files documentation references - [8146](https://togithub.com/vegaprotocol/vega/issues/8146) - Add fetch retry behaviour to network history fetch command - [7982](https://togithub.com/vegaprotocol/vega/issues/7982) - Fix behaviour of endpoints with `marketIds` and `partyIds` filters - [7846](https://togithub.com/vegaprotocol/vega/issues/7846) - Add event indicating distressed parties that are still holding an active position. - [7985](https://togithub.com/vegaprotocol/vega/issues/7985) - Add full stop on all fields documentation to get it properly generated - [8024](https://togithub.com/vegaprotocol/vega/issues/8024) - Unify naming in `rpc` endpoints and add tags - [7989](https://togithub.com/vegaprotocol/vega/issues/7989) - Remove reference to cursor based pagination in `rpc` documentations - [7991](https://togithub.com/vegaprotocol/vega/issues/7991) - Improve `EstimateFees` documentation - [7108](https://togithub.com/vegaprotocol/vega/issues/7108) - Annotate required fields in `API` requests. - [8039](https://togithub.com/vegaprotocol/vega/issues/8039) - Write network history segments in the `datanode` process instead of requesting `postgres` to write them. - [7987](https://togithub.com/vegaprotocol/vega/issues/7987) - Make terms consistent in `API` documentation. - [8025](https://togithub.com/vegaprotocol/vega/issues/8025) - Address inconsistent verb and grammar in the `API` documentation. - [7999](https://togithub.com/vegaprotocol/vega/issues/7999) - Review `DateRange API` documentation. - [7955](https://togithub.com/vegaprotocol/vega/issues/7955) - Ensure the wallet API documentation matches the Go definitions - [8023](https://togithub.com/vegaprotocol/vega/issues/8023) - Made pagination `docstrings` consistent. - [8105](https://togithub.com/vegaprotocol/vega/issues/8105) - Make candles return in ascending order when queried from `graphql`. - [8144](https://togithub.com/vegaprotocol/vega/issues/8144) - Visor - remove data node asset option from the config. Use only one asset. - [8000](https://togithub.com/vegaprotocol/vega/issues/8000) - Add documentation for `Pagination` `protobuf` message. - [7969](https://togithub.com/vegaprotocol/vega/issues/7969) - Add `GoodForBlocks` field to transaction input data. - [8155](https://togithub.com/vegaprotocol/vega/issues/8155) - Visor - allow restart without snapshot. - [8129](https://togithub.com/vegaprotocol/vega/issues/8129) - Keep liquidity fee remainder in fee account. - [8022](https://togithub.com/vegaprotocol/vega/issues/8022) - Improve `ListTransfers` API documentation. - [8154](https://togithub.com/vegaprotocol/vega/issues/8154) - Visor - added option for delaying stop of binaries. - [8169](https://togithub.com/vegaprotocol/vega/issues/8169) - Add `buf` format - [7997](https://togithub.com/vegaprotocol/vega/issues/7997) - Clean up `API` comments when returned value is signed/unsigned. - [7988](https://togithub.com/vegaprotocol/vega/issues/7988) - Make information about numbers expressed as strings more clear. - [7998](https://togithub.com/vegaprotocol/vega/issues/7998) - Clean up `API` documentation for `ListLedgerEntries`. - [8021](https://togithub.com/vegaprotocol/vega/issues/8021) - Add better field descriptions in the `API` documentation. - [8171](https://togithub.com/vegaprotocol/vega/issues/8171) - Optimise the way offsets are used in probability of trading. - [8194](https://togithub.com/vegaprotocol/vega/issues/8194) - Don't include query string as part of `Prometheus` metric labels - [7847](https://togithub.com/vegaprotocol/vega/issues/7847) - Add `EstimatePosition` `API` method, mark `EstimateOrder` (GraphQL) and `EstimateMargin` (gRPC) as deprecated. - [7969](https://togithub.com/vegaprotocol/vega/issues/7969) - Reverted the `TTL` changes, minor tweak to proof of work verification to ensure validator commands can't be rejected based on age. - [7926](https://togithub.com/vegaprotocol/vega/issues/7926) - Squash `SQL` migration scripts into a single script. Fixes: - [7938](https://togithub.com/vegaprotocol/vega/issues/7938) - Attempt to fix protocol upgrade failure because of `LevelDB` file lock issue - [7944](https://togithub.com/vegaprotocol/vega/issues/7944) - Better error message if we fail to parse the network configuration in wallet - [7870](https://togithub.com/vegaprotocol/vega/issues/7870) - Fix `LP` subscription filters - [8159](https://togithub.com/vegaprotocol/vega/issues/8159) - Remove corresponding network history segments on rollback - [7954](https://togithub.com/vegaprotocol/vega/issues/7954) - Don't error if subscribing to a market/party that has no position yet - [7899](https://togithub.com/vegaprotocol/vega/issues/7899) - Fixes inconsistency in the `HTTP` status codes returned when rate limited - [7968](https://togithub.com/vegaprotocol/vega/issues/7968) - Ready for protocol upgrade flag set without going through memory barrier - [7962](https://togithub.com/vegaprotocol/vega/issues/7962) - Set `isValidator` when loading from a checkpoint - [7950](https://togithub.com/vegaprotocol/vega/issues/7950) - Fix the restore of deposits from checkpoint - [7933](https://togithub.com/vegaprotocol/vega/issues/7933) - Ensure the wallet store is closed to avoid "too many opened files" error - [8069](https://togithub.com/vegaprotocol/vega/issues/8069) - Handle zero return value for memory when setting IPFS resource limits - [7956](https://togithub.com/vegaprotocol/vega/issues/7956) - Floor negative slippage per unit at 0 - [7964](https://togithub.com/vegaprotocol/vega/issues/7964) - Use mark price for all margin calculations - [8003](https://togithub.com/vegaprotocol/vega/issues/8003) - Fix `ListGovernanceData` does not honour `TYPE_ALL` - [8057](https://togithub.com/vegaprotocol/vega/issues/8057) - Load history and current state in one transaction - [8058](https://togithub.com/vegaprotocol/vega/issues/8058) - Continuous aggregates should be updated according to the watermark and span of history loaded - [8001](https://togithub.com/vegaprotocol/vega/issues/8001) - Fix issues with order subscriptions - [7980](https://togithub.com/vegaprotocol/vega/issues/7980) - Visor - prevent panic when auto install configuration is missing assets - [7995](https://togithub.com/vegaprotocol/vega/issues/7995) - Validate order price input to `estimateFee` and `estimateMargin` - [8011](https://togithub.com/vegaprotocol/vega/issues/8011) - Return a not found error for an invalid network parameter key for the API - [8012](https://togithub.com/vegaprotocol/vega/issues/8012) - Ensure client do not specify both a before and after cursor - [8017](https://togithub.com/vegaprotocol/vega/issues/8017) - Return an error when requesting order with negative version - [8020](https://togithub.com/vegaprotocol/vega/issues/8020) - Update default `tendermint` home path to `cometbft` - [7919](https://togithub.com/vegaprotocol/vega/issues/7919) - Avoid sending empty ledger movements - [8053](https://togithub.com/vegaprotocol/vega/issues/8053) - Fix notary vote count - [8004](https://togithub.com/vegaprotocol/vega/issues/8004) - Validate signatures exist in announce node command - [8004](https://togithub.com/vegaprotocol/vega/issues/8004) - Validate value in state variable bundles - [8004](https://togithub.com/vegaprotocol/vega/issues/8004) - Validate Ethereum addresses and add a cap on node vote reference length - [8046](https://togithub.com/vegaprotocol/vega/issues/8046) - Update GraphQL schema with new order rejection reason - [6659](https://togithub.com/vegaprotocol/vega/issues/6659) - Wallet application configuration is correctly reported on default location - [8074](https://togithub.com/vegaprotocol/vega/issues/8074) - Add missing order rejection reason to `graphql` schema - [8090](https://togithub.com/vegaprotocol/vega/issues/8090) - Rename network history `APIs` that did not follow the naming convention - [8060](https://togithub.com/vegaprotocol/vega/issues/8060) - Allow 0 decimals assets - [7993](https://togithub.com/vegaprotocol/vega/issues/7993) - Fix `ListDeposits` endpoint and documentation - [8072](https://togithub.com/vegaprotocol/vega/issues/8072) - Fix `panics` in estimate orders - [8125](https://togithub.com/vegaprotocol/vega/issues/8125) - Ensure network compatibility can be checked against TLS nodes - [8103](https://togithub.com/vegaprotocol/vega/issues/8103) - Fix incorrect rate limiting behaviour on `gRPC` `API` - [8128](https://togithub.com/vegaprotocol/vega/issues/8128) - Assure price monitoring engine extends the auction one bound at a time - [8149](https://togithub.com/vegaprotocol/vega/issues/8149) - Trigger populating `orders_live` table out of date and does not filter correctly for live orders. - [8165](https://togithub.com/vegaprotocol/vega/issues/8165) - Send order events when an `lp` order is cancelled or rejected - [8173](https://togithub.com/vegaprotocol/vega/issues/8173) - Trades when leaving auction should should have the aggressor field set to `SideUnspecified`. - [8184](https://togithub.com/vegaprotocol/vega/issues/8184) - Handle case for time termination value used with `LessThan` condition. - [8157](https://togithub.com/vegaprotocol/vega/issues/8157) - Handle kill/interrupt signals in datanode, and clean up properly. - [7914](https://togithub.com/vegaprotocol/vega/issues/7914) - Offer node signatures after snapshot restore - [8187](https://togithub.com/vegaprotocol/vega/issues/8187) - Expose Live Only filter to the `GraphQL` Orders filter. ### [`v0.70.4`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.70.4) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.70.3...v0.70.4) Release version 0.70.4 *2023-04-13* Breaking changes: - [8111](https://togithub.com/vegaprotocol/vega/issues/8111) - Unify payload between `admin.update_network` and `admin.describe_network` endpoint in the wallet API. Improvements: - [7943](https://togithub.com/vegaprotocol/vega/issues/7943) - Add version to network file to be future-proof. Fixes: - [7944](https://togithub.com/vegaprotocol/vega/issues/7944) - Better error message if we fail to parse the network configuration in wallet - [7933](https://togithub.com/vegaprotocol/vega/issues/7933) - Ensure the wallet store is closed to avoid "too many opened files" error - [6659](https://togithub.com/vegaprotocol/vega/issues/6659) - Wallet application configuration is correctly reported on default location ### [`v0.70.3`](https://togithub.com/vegaprotocol/vega/compare/v0.70.2...v0.70.3) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.70.2...v0.70.3) ### [`v0.70.2`](https://togithub.com/vegaprotocol/vega/releases/tag/v0.70.2) [Compare Source](https://togithub.com/vegaprotocol/vega/compare/v0.70.1...v0.70.2) Release version 0.70.2 *2023-03-31* Fixes: - [8045](https://togithub.com/vegaprotocol/vega/issues/8045) - Fix bug in handling internal sources data. - [8053](https://togithub.com/vegaprotocol/vega/issues/8053) - Fix notary vote count

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Mend Renovate. View repository job log here.