Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No trusting period or attestation expiry time check in Ethereum #243

Open
dalmirel opened this issue Oct 25, 2023 · 0 comments
Open

No trusting period or attestation expiry time check in Ethereum #243

dalmirel opened this issue Oct 25, 2023 · 0 comments
Labels
audit

Comments

@dalmirel
Copy link

Involved artifacts

Description

The EndBlocker in the QGB module has a function to remove old attestations. Attestations are considered expired if they are older than the AttestationExpiryTime, which is currently set to the consensus unbonding period (3 weeks) - trusted period.

  • The Solidity contract doesn't verify the attestation's expiry time, nor does the QGB module keep track of when the attestation was last processed. As a result, the contract can't determine if the attestation has expired since the last processing, and it won't be aware of any pruning that occurred in the QGB module.

The Tendermint security model establishes a trusting period to ensure that validators with over 2/3 of the voting power, who signed the block, are behaving correctly during this period. In simple terms, once the trusting period is over, we must assume that validators could act arbitrarily.

  • The Solidity contract doesn't check this trusting period, and it doesn't record the last time the checkpoint was updated. Consequently, the contract can't confirm if the trusting period has passed since the last update. Even though the QGB design updates the validator set as soon as a validator starts unbonding, issues might arise if the attestation containing this update isn't accepted on the QGB Smart Contract.

Problem Scenarios

If no attestation processing (including valset updates and data commitments) occurs for a period longer tshan the attestation expiry time, it can be attributed to the following reasons:

  • Validators may not be signing
  • It's possible that a relayer is unable to transfer the ValSetUpdate on Ethereum. This could be due to factors such as high transaction fees, lost connections, and so on.
  • There might not be active or honest relayers or orchestrators/validators available to reach the necessary voting power threshold.

As a result, the current checkpoint in the Solidity contract may become disconnected from the current status of bonded and unbonding validators on the Cosmos side.
It's essential to understand that the Solidity smart contract is:

  • under the complete control of the validators within the checkpoint and
  • expecting the nonce, next to be processed and is unaware of the pruning happened on the QGB module, which deleted nonces.

Recommendation

Address the issue with implementing a check for the age of the current checkpoint and time passed from the latest attestation processed.
Alternatively, the design choice should be made explicit in the documentation.
@rach-id rach-id added the audit label Oct 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
audit
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rach-id @dalmirel