Endblocker panics may halt consensus engine
andrey-kuprianov opened this issue · comments
Surfaced from @informalsystems audit of Althea Gravity Bridge at commit 19a4cfe
severity: High
type: Implementation bug
difficulty: Easy
Involved artifacts
Description
As specified in the Cosmos SDK documentation:
BeginBlockerandEndBlockerare a way for module developers to add automatic execution of logic to their module. This is a powerful tool that should be used carefully, as complex automatic functions can slow down or even halt the chain.
Also here:
...it is important to remember that application-specific blockchains are deterministic. Developers must be careful not to introduce non-determinism in BeginBlocker or EndBlocker, and must also be careful not to make them too computationally expensive, as gas does not constrain the cost of BeginBlocker and EndBlocker execution.
Specifically, those functions should never panic. On the contrary, Gravity Bridge EndBlocker contains a complicated machinery, in which many panics are reachable; in particular:
- abci.go:ValsetSlashing():212
- attestation.go: TryAttestation():64
- attestation.go: TryAttestation():77
- attestation.go: TryAttestation():89
- attestation.go: TryAttestation():105
- attestation.go: DeleteAttestation():170
- attestation.go: GetAttestationMapping():182
- batch.go: CancelOutgoingTXBatch():199
- cosmos-originated.go: RewardToERC20Lookup():66
- cosmos-originated.go: RewardToERC20Lookup():74
- cosmos-originated.go: RewardToERC20Lookup():78
Problem Scenarios
Whenever any of the above panic calls fires, the consensus engine will halt, causing immeasurable damage to the chain participants. This may happen both unintentionally, due to some validation error, or malicious inputs could be crafted to attack the Cosmos chain.
It should be noted that a Cosmos chain where the Gravity Bridge is deployed will contain a lot of other modules and functionality. While the Gravity Bridge functions are important, they should not monopolize the Cosmos chain; the general attitude between the Cosmos modules should be a cooperative, where everyone tries to behave decently to the others in the community.
Recommendation
Short term
- Carefully inspect the source code, and eliminate any possibility of panics leaking from Gravity Bridge's
EndBlocker.
Long term
EndBlockeris overloaded with the plethora of tasks. Refactor the source code, reduce the logic in theEndBlockerto the minimum, and shift most of it to message handlers.