Comments (8)
tony-iqlusion
commented on August 24, 2024
1
Is there a deeper issue if the Osmosis chain accepted invalid public keys as part of a successful transaction?
Possibly. You might open an Osmosis issue about this block and see if they can figure out what happened.
from tendermint-rs.
tony-iqlusion
commented on August 24, 2024
1
@penso as a stopgap, you can parse these transactions as e.g. cosmos_sdk_proto::cosmos::tx::v1beta1::Tx rather than cosmrs::Tx
from tendermint-rs.
ValarDragon
commented on August 24, 2024
1
This is likely coming from the SDK not validating this first byte here: https://github.com/cosmos/cosmos-sdk/blob/main/crypto/keys/secp256k1/secp256k1.go#L203-L211
from tendermint-rs.
tony-iqlusion
commented on August 24, 2024
Seems similar to #1417, but in this case the public key is invalid:
AF390E8EB13DC2C89F91D09EB5BEF64367BD3BD0C3446C270A6277335228E7DF87
It's 33-bytes like we'd expect: SEC1 tag || secp256k1 x-coordinate, but where a valid SEC1 tag is: 0x00, 0x02, 0x03, 0x04, this key for whatever reason has 0xAF, which is not a valid SEC1 tag.
from tendermint-rs.
tony-iqlusion
commented on August 24, 2024
Really this is a CosmRS (and Osmosis) issue as opposed to a tendermint-rs one. CosmRS tries to eagerly parse the public key, and it seems like we just won't be able to rely on chains not to put out garbage public keys. Those garbage public keys likely represent some sort of bug in Osmosis where it failed to validate the key in the first place, but once they wind up in the chain data there's really no way of fixing them.
from tendermint-rs.
penso
commented on August 24, 2024
- Agreed
cosmos-rustshouldn't try to validate public keys, there is too much garbage out there. Maybe it should be a specific call likepublic_key.is_valid()to prevent such issues but looking at the code you can't create an invalidPublicKeyso it should be done differently, like holding the raw bytes for the keys and only callSecp256k1::from_sec1_byteswhenis_valid()orparse()is called. - Is there a deeper issue if the Osmosis chain accepted invalid public keys as part of a successful transaction? Any security issue here? I guess those show up on mintscan because mintscan is using code not parsing/validating public keys.
from tendermint-rs.
penso
commented on August 24, 2024
Closing this, will followup if any news.
from tendermint-rs.
tony-iqlusion
commented on August 24, 2024
I opened a Cosmos SDK bug: cosmos/cosmos-sdk#20406
from tendermint-rs.
Related Issues (20)
- Optimise validator lookup in voting_power_in
- Deserialization of `abci::Event` fails HOT 6
- Can't get status when validator key is blank HOT 4
- Allow rate limiting clients HOT 1
- Add the possibility to override User-Agent for queries HOT 3
- WebSocket subscription query not found HOT 2
- FinalizeBlock Response Deserialization Bug
- Release v0.37.0 HOT 1
- Websocket client is unable to subscribe to vote events HOT 8
- block: domain type validation is too stringent HOT 1
- Add `/genesis_chunked` RPC endpoint
- rpc: Deserializing `/block_results` with empty JSON `consensus_param_updates` fails
- Last block deserialization from SEI tendermint nodes is failing HOT 1
- Generate code for all `google.protobuf` types
- Fail to decode `AppHash` from `/block_results` response HOT 2
- Release v0.38.1
- proto: `std` feature is broken HOT 1
- Ensure compatibility of misbehaviour evidence JSON serialization with CometBFT v0.37.10 and v0.38.11
- Split out `tendermint-proto` into separate repository HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tendermint-rs.