# ICA host params Date: 2024/08/29 ## Context The ICA host module is misconfigured on Arabica and Mocha. The param `AllowMessages` is set to the default `[*]` which allows all messages. It should have been set to an explicit allowlist defined in [CIP-14](https://github.com/celestiaorg/CIPs/blob/main/cips/cip-14.md). See [https://github.com/celestiaorg/celestia-app/issues/3824](https://github.com/celestiaorg/celestia-app/issues/3824). ## Resolution strategies ### [short term]: Block validity rule that rejects ICA transactions with a message that contains a non-allowlisted message. [#3836](https://github.com/celestiaorg/celestia-app/issues/3836) Note: Implement a block validity rule in prepare/process proposal that rejects blocks with ICA messages not on a hard-coded whitelist (ignore the param value). Release this in a minor release (v2.4.x) as a soft fork. Put it on Arabica for a day, Mocha for a day, Mainnet. ### [short term]: Governance proposal [#3827](https://github.com/celestiaorg/celestia-app/issues/3827) Pro: One consistent solution for all networks. Con: There will be a short time period where mainnet has the wildcard which poses a risk if an attacker can use a message via ICA that wasn't intended to be used (i.e. PayForBlob) Gov proposals take 1 week on Arabica, 1 day on Mocha, 1 week on Mainnet. ### [long term] Make param unmodifiable by governance and hard-code allowlist. Put it on Arabica, Mocha, then Mainnet. [#3837](https://github.com/celestiaorg/celestia-app/issues/3837) Make the param non-governance modifiable and hard-code it to the allowlist. Con: this has to wait for celestia-app v3.x.x ## FAQ ### What messages should be on the whitelist? ``` /ibc.applications.transfer.v1.MsgTransfer /cosmos.bank.v1beta1.MsgSend /cosmos.staking.v1beta1.MsgDelegate /cosmos.staking.v1beta1.MsgBeginRedelegate /cosmos.staking.v1beta1.MsgUndelegate /cosmos.staking.v1beta1.MsgCancelUnbondingDelegation /cosmos.distribution.v1beta1.MsgSetWithdrawAddress /cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward /cosmos.distribution.v1beta1.MsgFundCommunityPool /cosmos.gov.v1.MsgVote /cosmos.feegrant.v1beta1.MsgGrantAllowance /cosmos.feegrant.v1beta1.MsgRevokeAllowance ``` ### What messages does v2 support that aren't on the whitelist? See this [comment](https://github.com/celestiaorg/celestia-app/issues/3678\#issuecomment-2315813856) for a list of all message types per app version. ``` /celestia.blob.v1.MsgPayForBlobs /celestia.signal.v1.MsgSignalVersion /celestia.signal.v1.MsgTryUpgrade /cosmos.authz.v1beta1.MsgExec /cosmos.authz.v1beta1.MsgGrant /cosmos.authz.v1beta1.MsgRevoke /cosmos.bank.v1beta1.MsgMultiSend /cosmos.crisis.v1beta1.MsgVerifyInvariant /cosmos.distribution.v1beta1.MsgWithdrawValidatorCommission /cosmos.evidence.v1beta1.MsgSubmitEvidence /cosmos.gov.v1.MsgDeposit /cosmos.gov.v1.MsgExecLegacyContent /cosmos.gov.v1.MsgSubmitProposal /cosmos.gov.v1.MsgVoteWeighted /cosmos.gov.v1beta1.MsgDeposit /cosmos.gov.v1beta1.MsgSubmitProposal /cosmos.gov.v1beta1.MsgVote /cosmos.gov.v1beta1.MsgVoteWeighted /cosmos.slashing.v1beta1.MsgUnjail /cosmos.staking.v1beta1.MsgCreateValidator /cosmos.staking.v1beta1.MsgEditValidator /cosmos.vesting.v1beta1.MsgCreatePeriodicVestingAccount /cosmos.vesting.v1beta1.MsgCreatePermanentLockedAccount /cosmos.vesting.v1beta1.MsgCreateVestingAccount /ibc.core.channel.v1.MsgAcknowledgement /ibc.core.channel.v1.MsgChannelCloseConfirm /ibc.core.channel.v1.MsgChannelCloseInit /ibc.core.channel.v1.MsgChannelOpenAck /ibc.core.channel.v1.MsgChannelOpenConfirm /ibc.core.channel.v1.MsgChannelOpenInit /ibc.core.channel.v1.MsgChannelOpenTry /ibc.core.channel.v1.MsgRecvPacket /ibc.core.channel.v1.MsgTimeout /ibc.core.channel.v1.MsgTimeoutOnClose /ibc.core.client.v1.MsgCreateClient /ibc.core.client.v1.MsgSubmitMisbehaviour /ibc.core.client.v1.MsgUpdateClient /ibc.core.client.v1.MsgUpgradeClient /ibc.core.connection.v1.MsgConnectionOpenAck /ibc.core.connection.v1.MsgConnectionOpenConfirm /ibc.core.connection.v1.MsgConnectionOpenInit /ibc.core.connection.v1.MsgConnectionOpenTry ``` ### What do other chains configure for `AllowMessages`? #### Cosmos Hub ```shell grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' cosmos-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params { "param": { "subspace": "icahost", "key": "AllowMessages", "value": "[\"*\"]" } } ``` #### Stride ```shell grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' stride-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params { "param": { "subspace": "icahost", "key": "AllowMessages", "value": "[\"/cosmos.bank.v1beta1.MsgSend\",\"/cosmos.bank.v1beta1.MsgMultiSend\",\"/cosmos.staking.v1beta1.MsgDelegate\",\"/cosmos.staking.v1beta1.MsgUndelegate\",\"/cosmos.staking.v1beta1.MsgBeginRedelegate\",\"/cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward\",\"/cosmos.distribution.v1beta1.MsgSetWithdrawAddress\",\"/ibc.applications.transfer.v1.MsgTransfer\",\"/cosmos.gov.v1beta1.MsgVote\",\"/stride.stakeibc.MsgLiquidStake\",\"/stride.stakeibc.MsgRedeemStake\",\"/stride.stakeibc.MsgClaimUndelegatedTokens\"]" } } ``` #### Osmosis ```shell grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' osmosis-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params { "param": { "subspace": "icahost", "key": "AllowMessages", "value": "[\"/ibc.applications.transfer.v1.MsgTransfer\",\"/cosmos.bank.v1beta1.MsgSend\",\"/cosmos.staking.v1beta1.MsgDelegate\",\"/cosmos.staking.v1beta1.MsgBeginRedelegate\",\"/cosmos.staking.v1beta1.MsgCreateValidator\",\"/cosmos.staking.v1beta1.MsgEditValidator\",\"/cosmos.staking.v1beta1.MsgUndelegate\",\"/cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward\",\"/cosmos.distribution.v1beta1.MsgSetWithdrawAddress\",\"/cosmos.distribution.v1beta1.MsgWithdrawValidatorCommission\",\"/cosmos.distribution.v1beta1.MsgFundCommunityPool\",\"/cosmos.gov.v1beta1.MsgVote\",\"/osmosis.gamm.v1beta1.MsgJoinPool\",\"/osmosis.gamm.v1beta1.MsgExitPool\",\"/osmosis.gamm.v1beta1.MsgSwapExactAmountIn\",\"/osmosis.gamm.v1beta1.MsgSwapExactAmountOut\",\"/osmosis.gamm.v1beta1.MsgJoinSwapExternAmountIn\",\"/osmosis.gamm.v1beta1.MsgJoinSwapShareAmountOut\",\"/osmosis.gamm.v1beta1.MsgExitSwapExternAmountOut\",\"/osmosis.gamm.v1beta1.MsgExitSwapShareAmountIn\",\"/osmosis.gamm.poolmodels.balancer.v1beta1.MsgCreateBalancerPool\",\"/osmosis.lockup.MsgLockTokens\",\"/osmosis.lockup.MsgBeginUnlocking\",\"/cosmwasm.wasm.v1.MsgExecuteContract\",\"/cosmwasm.wasm.v1.MsgInstantiateContract\",\"/osmosis.superfluid.MsgSuperfluidUndelegateAndUnbondLock\",\"/osmosis.superfluid.MsgLockAndSuperfluidDelegate\",\"/osmosis.superfluid.MsgSuperfluidDelegate\",\"/osmosis.superfluid.MsgSuperfluidUndelegate\",\"/osmosis.superfluid.MsgSuperfluidUnbondLock\",\"/osmosis.superfluid.MsgCreateFullRangePositionAndSuperfluidDelegate\",\"/osmosis.superfluid.MsgUnlockAndMigrateSharesToFullRangeConcentratedPosition\",\"/osmosis.superfluid.MsgAddToConcentratedLiquiditySuperfluidPosition\",\"/osmosis.superfluid.MsgUnbondConvertAndStake\",\"/osmosis.poolmanager.v1beta1.MsgSwapExactAmountIn\",\"/osmosis.poolmanager.v1beta1.MsgSwapExactAmountInResponse\",\"/osmosis.poolmanager.v1beta1.SwapAmountInRoute\",\"/cosmos.authz.v1beta1.MsgGrant\",\"/cosmos.authz.v1beta1.MsgRevoke\"]" } } ``` #### Neutron ```shell $ grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' neutron-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params { "param": { "subspace": "icahost", "key": "AllowMessages", "value": "[\"*\"]" } } ```