Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IBC Rate Limiting Audit Fixes #818

Merged
merged 24 commits into from
Jun 13, 2023
Merged

IBC Rate Limiting Audit Fixes #818

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
8e59f69
added undo rate limit send packet
sampocs Jun 6, 2023
3c449a6
added pending packet sequence keepers
sampocs Jun 6, 2023
ea03a06
implemented sequence checks and unit tests
sampocs Jun 6, 2023
b595566
added whitelist address keeper functions
sampocs Jun 6, 2023
42e283d
implemented address whitelist and unit tests
sampocs Jun 6, 2023
a20260f
updated readme
sampocs Jun 6, 2023
f4de6e8
added whitelist address in register host zone
sampocs Jun 7, 2023
f6ac6e7
fixed unit test
sampocs Jun 7, 2023
1e5cbd8
added queries for denom blacklist and address whitelist
sampocs Jun 7, 2023
8bedb4a
only stored pending packet if rate limit exists
sampocs Jun 7, 2023
7b2af20
fixed bug in build.sh with juno
sampocs Jun 8, 2023
9d60d30
increased gas
sampocs Jun 8, 2023
af2a635
fixed rate limit integration tests
sampocs Jun 9, 2023
2ad2213
fixed init/export genesis
sampocs Jun 9, 2023
489748c
changes after testing timeout/failure
sampocs Jun 11, 2023
8cd33f8
addressed aidan PR comments
sampocs Jun 12, 2023
0ee1f22
temporarily reverted address whitelist check
sampocs Jun 12, 2023
a98df1d
added whitelist to protos
sampocs Jun 13, 2023
74fb0cf
implemented new whitelist and unit tests
sampocs Jun 13, 2023
0c9b08d
added whitelist address in register host zone
sampocs Jun 13, 2023
5ed0bfd
fixed queries and init genesis
sampocs Jun 13, 2023
730d7ec
renamed whitelist address data struct and keepers
sampocs Jun 13, 2023
c347de9
updated readme
sampocs Jun 13, 2023
c6846d3
Merge branch 'main' into sam/ratelimit-audit-fix-timeout
sampocs Jun 13, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
only stored pending packet if rate limit exists
  • Loading branch information
@sampocs
sampocs committed Jun 7, 2023
commit 8bedb4a06ed82b962d42336a7dc60dcaf096cb62
2 changes: 1 addition & 1 deletion x/ratelimit/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -225,7 +225,7 @@ GetAllWhitelistedAddresses() []string
// Checks whether a packet will exceed a rate limit quota
// If it does not exceed the quota, it updates the `Inflow` or `Outflow`
// If it exceeds the quota, it returns an error
CheckRateLimitAndUpdateFlow(direction types.PacketDirection, packetInfo RateLimitedPacketInfo)
CheckRateLimitAndUpdateFlow(direction types.PacketDirection, packetInfo RateLimitedPacketInfo) (updated bool)

// Reverts the change in outflow from a SendPacket if it fails or times out
UndoSendPacket(channelId string, sequence uint64, denom string, amount sdkmath.Int)
Expand Down
9 changes: 6 additions & 3 deletions x/ratelimit/keeper/packet.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,14 +165,16 @@ func (k Keeper) SendRateLimitedPacket(ctx sdk.Context, packet channeltypes.Packe
}

// Check if the packet would exceed the outflow rate limit
err = k.CheckRateLimitAndUpdateFlow(ctx, types.PACKET_SEND, packetInfo)
updatedFlow, err := k.CheckRateLimitAndUpdateFlow(ctx, types.PACKET_SEND, packetInfo)
if err != nil {
return err
}

// Store the sequence number of the packet so that if the transfer fails,
// we can identify if it was sent during this quota and can revert the outflow
k.SetPendingSendPacket(ctx, packetInfo.ChannelID, packet.Sequence)
if updatedFlow {
k.SetPendingSendPacket(ctx, packetInfo.ChannelID, packet.Sequence)
}

return nil
}
Expand All @@ -185,7 +187,8 @@ func (k Keeper) ReceiveRateLimitedPacket(ctx sdk.Context, packet channeltypes.Pa
return err
}

return k.CheckRateLimitAndUpdateFlow(ctx, types.PACKET_RECV, packetInfo)
_, err = k.CheckRateLimitAndUpdateFlow(ctx, types.PACKET_RECV, packetInfo)
return err
}

// Middleware implementation for OnAckPacket with rate limiting
Expand Down
19 changes: 11 additions & 8 deletions x/ratelimit/keeper/rate_limit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,11 @@ func (k Keeper) UpdateFlow(rateLimit types.RateLimit, direction types.PacketDire

// Checks whether the given packet will exceed the rate limit
// Called by OnRecvPacket and OnSendPacket
func (k Keeper) CheckRateLimitAndUpdateFlow(ctx sdk.Context, direction types.PacketDirection, packetInfo RateLimitedPacketInfo) error {
func (k Keeper) CheckRateLimitAndUpdateFlow(
ctx sdk.Context,
direction types.PacketDirection,
packetInfo RateLimitedPacketInfo,
) (updatedFlow bool, err error) {
denom := packetInfo.Denom
channelId := packetInfo.ChannelID
amount := packetInfo.Amount
Expand All @@ -63,33 +67,32 @@ func (k Keeper) CheckRateLimitAndUpdateFlow(ctx sdk.Context, direction types.Pac
if k.IsDenomBlacklisted(ctx, denom) {
err := errorsmod.Wrapf(types.ErrDenomIsBlacklisted, "denom %s is blacklisted", denom)
EmitTransferDeniedEvent(ctx, types.EventBlacklistedDenom, denom, channelId, direction, amount, err)
return err
return false, err
}

// If there's no rate limit yet for this denom, no action is necessary
rateLimit, found := k.GetRateLimit(ctx, denom, channelId)
if !found {
return nil
return false, nil
}

// Check if the sender or receiver are white listed
// If so, return a success without modifying the quota
if k.IsAddressWhitelisted(ctx, packetInfo.Sender) || k.IsAddressWhitelisted(ctx, packetInfo.Receiver) {
Copy link
Contributor

@asalzmann asalzmann Jun 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if k.IsAddressWhitelisted(ctx, packetInfo.Sender) || k.IsAddressWhitelisted(ctx, packetInfo.Receiver) {
if k.IsAddressWhitelisted(ctx, packetInfo.Sender) && direction == types.PACKET_SEND || k.IsAddressWhitelisted(ctx, packetInfo.Receiver) && directino == types.PACKET_RECEIVE {

I think this condition is more specific, it's unnecessarily broad right now (e.g. sending to stride's module account address on a counterparty chain would be whitelisted)

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@asalzmann thinking about this a bit more, I'm wondering if we should just remove the ICA accounts from the whitelist now that there's the extra clause that specifies the packet type?

The epochly transfer would be a SEND_PACKET with Sender == module account, and the prop 8 transfer would be a RECV_PACKET with Receiver == module account. I'm not sure there's any other cases to worry about

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That seems cleaner to me. Agree that those are the only two cases. Note: I believe prop 8 rev goes into a separate module account, that will need to be whitelisted.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually an even slightly safer design imo would be

Whitelist

  • Both must be true: (SENDER == DELEGATION_ICA) && (RECEIVER == MAIN STAKEIBC MODULE ACCOUNT)
  • Both must be true: (SENDER == WITHDRAWAL_ICA) && (RECEIVER == PROP8 STAKEIBC MODULE ACCOUNT)

With the "either or" whitelist approach and whitelisting the main stakeibc mod acct and the delegation ICA, I think we've disabled rate limits along these paths:

  • transfers from stakeibc module account to malicious cosmoshub address
  • transfers from delegation acct to malicious stride address

return nil
return false, nil
}

// Update the flow object with the change in amount
err := k.UpdateFlow(rateLimit, direction, amount)
if err != nil {
if err := k.UpdateFlow(rateLimit, direction, amount); err != nil {
// If the rate limit was exceeded, emit an event
EmitTransferDeniedEvent(ctx, types.EventRateLimitExceeded, denom, channelId, direction, amount, err)
return err
return false, err
}

// If there's no quota error, update the rate limit object in the store with the new flow
k.SetRateLimit(ctx, rateLimit)

return nil
return true, nil
}

// If a SendPacket fails or times out, undo the outflow increment that happened during the send
Expand Down
7 changes: 5 additions & 2 deletions x/ratelimit/keeper/rate_limit_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -297,15 +297,18 @@ func (s *KeeperTestSuite) processCheckRateLimitAndUpdateFlowTestCase(tc checkRat
Sender: sender,
Receiver: receiver,
}
err := s.App.RatelimitKeeper.CheckRateLimitAndUpdateFlow(s.Ctx, action.direction, packetInfo)
updatedFlow, err := s.App.RatelimitKeeper.CheckRateLimitAndUpdateFlow(s.Ctx, action.direction, packetInfo)

// Each action optionally errors or skips a flow update
if action.expectedError != "" {
s.Require().ErrorContains(err, action.expectedError, tc.name+" - action: #%d - error", i)
} else {
s.Require().NoError(err, tc.name+" - action: #%d - no error", i)

if !action.skipFlowUpdate {
expectedUpdateFlow := !action.skipFlowUpdate
s.Require().Equal(expectedUpdateFlow, updatedFlow, tc.name+" - action: #%d - updated flow", i)

if expectedUpdateFlow {
if action.direction == types.PACKET_RECV {
expectedInflow = expectedInflow.Add(amount)
} else {
Expand Down