fix(x/forwarding)!: bind token identity to forwarding address derivation#6906
Conversation
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review.
Tip: disable this comment in your organization's Code Review settings.
|
Hi @damiannolan @rootulp @rach-id, This PR directly addresses two distinct and independent security vulnerabilities I reported through Celestia's security program. Both were submitted with full end-to-end PoCs.
These are two independent vulnerabilities with different root causes, different impacts, and different attack flows. Fixing one would not have fixed the other. Both are also distinct from CELESTIA-234, as both were identified and reported after PR #6877 was already merged. The scope of this refactor directly corresponds to the attack vectors I disclosed, and I would appreciate acknowledgment of this. Specifically:
Thank you. |
|
Hi @loopghost! Thank you for dropping a comment here. I will of course update the PR title and add acknowledgements within the description. Much appreciated for your reports, they have been invaluable! cc. @rootulp for HackenProof status updates |
|
Thank you so much @damiannolan, really appreciate the quick response and the kind words! Super happy to know my contributions have been valuable to the team. I'll definitely keep at it. Looking forward to the updates and to @rootulp's confirmation on the HackenProof side. Let me know if you need anything else from me. |
|
Moved CELESTIA-247 to triaged. |
rootulp
left a comment
There was a problem hiding this comment.
Thanks for the quick turnaround on the fix! 🙏 really appreciate it
|
@Mergifyio refresh |
✅ Pull request refreshed |
…ion (#6906) ## Overview This PR adds the token identifier `HexAddress` to the forwarding address derivation. This hoists the trust model off-chain, preventing linear scan of global permissionless warp tokens. Below are the outcomes associated with that design decision that affect this PR. **Adding the token_id to the forwarding address derivation:** - Trusted frontends provide token identifiers for forwarding address derivation - This means we can now only forward that token in a single MsgForward execution - as that is the token identifier committed to in the forwarding address - No send all denom balances in one go - Relayers can still submit a single tx with n MsgForward payloads - No partial failures - This is actually a safer design decision, no need to worry about multiple token atomicity in execution path - There will exist a forwarding address for each unique denom - E.g. Address for TIA is different to address for USDC for forwarding to same recipient 0x...abcd on destination domain 1234 Previous issue re. poisoning account with IBC denoms is void, as the token id is provided in rpcs (less ambiguity) If somebody sends random denom assets to a forwarding address those funds are irrecoverable by design (no poison pill, accepted user risk) Please disregard the failing `Protobuf break-check` CI. --- **NOTE**: This PR directly addresses two bug reports submitted by @loopghost. This includes CELESTIA-247 via HackenProof and another submitted privately via email. <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/celestiaorg/celestia-app/pull/6906" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> (cherry picked from commit 1c37708) # Conflicts: # go.mod # test/docker-e2e/e2e_hyperlane_test.go # x/forwarding/keeper/msg_server.go # x/forwarding/keeper/msg_server_test.go
…ion (backport #6906) (#6920) ## Overview This PR adds the token identifier `HexAddress` to the forwarding address derivation. This hoists the trust model off-chain, preventing linear scan of global permissionless warp tokens. Below are the outcomes associated with that design decision that affect this PR. **Adding the token_id to the forwarding address derivation:** - Trusted frontends provide token identifiers for forwarding address derivation - This means we can now only forward that token in a single MsgForward execution - as that is the token identifier committed to in the forwarding address - No send all denom balances in one go - Relayers can still submit a single tx with n MsgForward payloads - No partial failures - This is actually a safer design decision, no need to worry about multiple token atomicity in execution path - There will exist a forwarding address for each unique denom - E.g. Address for TIA is different to address for USDC for forwarding to same recipient 0x...abcd on destination domain 1234 Previous issue re. poisoning account with IBC denoms is void, as the token id is provided in rpcs (less ambiguity) If somebody sends random denom assets to a forwarding address those funds are irrecoverable by design (no poison pill, accepted user risk) Please disregard the failing `Protobuf break-check` CI. --- **NOTE**: This PR directly addresses two bug reports submitted by @loopghost. This includes CELESTIA-247 via HackenProof and another submitted privately via email. --- <a href="https://app.devin.ai/review/celestiaorg/celestia-app/pull/6906" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <hr>This is an automatic backport of pull request #6906 done by [Mergify](https://mergify.com). <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/celestiaorg/celestia-app/pull/6920" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> --------- Co-authored-by: Damian Nolan <[email protected]>
Overview
This PR adds the token identifier
HexAddressto the forwarding address derivation.This hoists the trust model off-chain, preventing linear scan of global permissionless warp tokens.
Below are the outcomes associated with that design decision that affect this PR.
Adding the token_id to the forwarding address derivation:
Previous issue re. poisoning account with IBC denoms is void, as the token id is provided in rpcs (less ambiguity)
If somebody sends random denom assets to a forwarding address those funds are irrecoverable by design (no poison pill, accepted user risk)
Please disregard the failing
Protobuf break-checkCI.NOTE: This PR directly addresses two bug reports submitted by @loopghost. This includes CELESTIA-247 via HackenProof and another submitted privately via email.