Try   HackMD

ICA host params

Date: 2024/08/29

Context

The ICA host module is misconfigured on Arabica and Mocha. The param AllowMessages is set to the default [*] which allows all messages. It should have been set to an explicit allowlist defined in CIP-14.

See https://github.com/celestiaorg/celestia-app/issues/3824.

Resolution strategies

[short term]: Block validity rule that rejects ICA transactions with a message that contains a non-allowlisted message. #3836

Note: Implement a block validity rule in prepare/process proposal that rejects blocks with ICA messages not on a hard-coded whitelist (ignore the param value). Release this in a minor release (v2.4.x) as a soft fork.

Put it on Arabica for a day, Mocha for a day, Mainnet.

[short term]: Governance proposal #3827

Pro: One consistent solution for all networks.

Con: There will be a short time period where mainnet has the wildcard which poses a risk if an attacker can use a message via ICA that wasn't intended to be used (i.e. PayForBlob)

Gov proposals take 1 week on Arabica, 1 day on Mocha, 1 week on Mainnet.

[long term] Make param unmodifiable by governance and hard-code allowlist. Put it on Arabica, Mocha, then Mainnet. #3837

Make the param non-governance modifiable and hard-code it to the allowlist.

Con: this has to wait for celestia-app v3.x.x

FAQ

What messages should be on the whitelist?

/ibc.applications.transfer.v1.MsgTransfer
/cosmos.bank.v1beta1.MsgSend
/cosmos.staking.v1beta1.MsgDelegate
/cosmos.staking.v1beta1.MsgBeginRedelegate
/cosmos.staking.v1beta1.MsgUndelegate
/cosmos.staking.v1beta1.MsgCancelUnbondingDelegation
/cosmos.distribution.v1beta1.MsgSetWithdrawAddress
/cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward
/cosmos.distribution.v1beta1.MsgFundCommunityPool
/cosmos.gov.v1.MsgVote
/cosmos.feegrant.v1beta1.MsgGrantAllowance
/cosmos.feegrant.v1beta1.MsgRevokeAllowance

What messages does v2 support that aren't on the whitelist?

See this comment for a list of all message types per app version.

/celestia.blob.v1.MsgPayForBlobs
/celestia.signal.v1.MsgSignalVersion
/celestia.signal.v1.MsgTryUpgrade
/cosmos.authz.v1beta1.MsgExec
/cosmos.authz.v1beta1.MsgGrant
/cosmos.authz.v1beta1.MsgRevoke
/cosmos.bank.v1beta1.MsgMultiSend
/cosmos.crisis.v1beta1.MsgVerifyInvariant
/cosmos.distribution.v1beta1.MsgWithdrawValidatorCommission
/cosmos.evidence.v1beta1.MsgSubmitEvidence
/cosmos.gov.v1.MsgDeposit
/cosmos.gov.v1.MsgExecLegacyContent
/cosmos.gov.v1.MsgSubmitProposal
/cosmos.gov.v1.MsgVoteWeighted
/cosmos.gov.v1beta1.MsgDeposit
/cosmos.gov.v1beta1.MsgSubmitProposal
/cosmos.gov.v1beta1.MsgVote
/cosmos.gov.v1beta1.MsgVoteWeighted
/cosmos.slashing.v1beta1.MsgUnjail
/cosmos.staking.v1beta1.MsgCreateValidator
/cosmos.staking.v1beta1.MsgEditValidator
/cosmos.vesting.v1beta1.MsgCreatePeriodicVestingAccount
/cosmos.vesting.v1beta1.MsgCreatePermanentLockedAccount
/cosmos.vesting.v1beta1.MsgCreateVestingAccount
/ibc.core.channel.v1.MsgAcknowledgement
/ibc.core.channel.v1.MsgChannelCloseConfirm
/ibc.core.channel.v1.MsgChannelCloseInit
/ibc.core.channel.v1.MsgChannelOpenAck
/ibc.core.channel.v1.MsgChannelOpenConfirm
/ibc.core.channel.v1.MsgChannelOpenInit
/ibc.core.channel.v1.MsgChannelOpenTry
/ibc.core.channel.v1.MsgRecvPacket
/ibc.core.channel.v1.MsgTimeout
/ibc.core.channel.v1.MsgTimeoutOnClose
/ibc.core.client.v1.MsgCreateClient
/ibc.core.client.v1.MsgSubmitMisbehaviour
/ibc.core.client.v1.MsgUpdateClient
/ibc.core.client.v1.MsgUpgradeClient
/ibc.core.connection.v1.MsgConnectionOpenAck
/ibc.core.connection.v1.MsgConnectionOpenConfirm
/ibc.core.connection.v1.MsgConnectionOpenInit
/ibc.core.connection.v1.MsgConnectionOpenTry

What do other chains configure for AllowMessages?

Cosmos Hub

grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' cosmos-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params

{
  "param": {
    "subspace": "icahost",
    "key": "AllowMessages",
    "value": "[\"*\"]"
  }
}

Stride

grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' stride-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params

{
  "param": {
    "subspace": "icahost",
    "key": "AllowMessages",
    "value": "[\"/cosmos.bank.v1beta1.MsgSend\",\"/cosmos.bank.v1beta1.MsgMultiSend\",\"/cosmos.staking.v1beta1.MsgDelegate\",\"/cosmos.staking.v1beta1.MsgUndelegate\",\"/cosmos.staking.v1beta1.MsgBeginRedelegate\",\"/cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward\",\"/cosmos.distribution.v1beta1.MsgSetWithdrawAddress\",\"/ibc.applications.transfer.v1.MsgTransfer\",\"/cosmos.gov.v1beta1.MsgVote\",\"/stride.stakeibc.MsgLiquidStake\",\"/stride.stakeibc.MsgRedeemStake\",\"/stride.stakeibc.MsgClaimUndelegatedTokens\"]"
  }
}

Osmosis

grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' osmosis-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params

{
  "param": {
    "subspace": "icahost",
    "key": "AllowMessages",
    "value": "[\"/ibc.applications.transfer.v1.MsgTransfer\",\"/cosmos.bank.v1beta1.MsgSend\",\"/cosmos.staking.v1beta1.MsgDelegate\",\"/cosmos.staking.v1beta1.MsgBeginRedelegate\",\"/cosmos.staking.v1beta1.MsgCreateValidator\",\"/cosmos.staking.v1beta1.MsgEditValidator\",\"/cosmos.staking.v1beta1.MsgUndelegate\",\"/cosmos.distribution.v1beta1.MsgWithdrawDelegatorReward\",\"/cosmos.distribution.v1beta1.MsgSetWithdrawAddress\",\"/cosmos.distribution.v1beta1.MsgWithdrawValidatorCommission\",\"/cosmos.distribution.v1beta1.MsgFundCommunityPool\",\"/cosmos.gov.v1beta1.MsgVote\",\"/osmosis.gamm.v1beta1.MsgJoinPool\",\"/osmosis.gamm.v1beta1.MsgExitPool\",\"/osmosis.gamm.v1beta1.MsgSwapExactAmountIn\",\"/osmosis.gamm.v1beta1.MsgSwapExactAmountOut\",\"/osmosis.gamm.v1beta1.MsgJoinSwapExternAmountIn\",\"/osmosis.gamm.v1beta1.MsgJoinSwapShareAmountOut\",\"/osmosis.gamm.v1beta1.MsgExitSwapExternAmountOut\",\"/osmosis.gamm.v1beta1.MsgExitSwapShareAmountIn\",\"/osmosis.gamm.poolmodels.balancer.v1beta1.MsgCreateBalancerPool\",\"/osmosis.lockup.MsgLockTokens\",\"/osmosis.lockup.MsgBeginUnlocking\",\"/cosmwasm.wasm.v1.MsgExecuteContract\",\"/cosmwasm.wasm.v1.MsgInstantiateContract\",\"/osmosis.superfluid.MsgSuperfluidUndelegateAndUnbondLock\",\"/osmosis.superfluid.MsgLockAndSuperfluidDelegate\",\"/osmosis.superfluid.MsgSuperfluidDelegate\",\"/osmosis.superfluid.MsgSuperfluidUndelegate\",\"/osmosis.superfluid.MsgSuperfluidUnbondLock\",\"/osmosis.superfluid.MsgCreateFullRangePositionAndSuperfluidDelegate\",\"/osmosis.superfluid.MsgUnlockAndMigrateSharesToFullRangeConcentratedPosition\",\"/osmosis.superfluid.MsgAddToConcentratedLiquiditySuperfluidPosition\",\"/osmosis.superfluid.MsgUnbondConvertAndStake\",\"/osmosis.poolmanager.v1beta1.MsgSwapExactAmountIn\",\"/osmosis.poolmanager.v1beta1.MsgSwapExactAmountInResponse\",\"/osmosis.poolmanager.v1beta1.SwapAmountInRoute\",\"/cosmos.authz.v1beta1.MsgGrant\",\"/cosmos.authz.v1beta1.MsgRevoke\"]"
  }
}

Neutron

$ grpcurl -d '{"subspace": "icahost", "key": "AllowMessages"}' neutron-grpc.publicnode.com:443 cosmos.params.v1beta1.Query/Params

{
  "param": {
    "subspace": "icahost",
    "key": "AllowMessages",
    "value": "[\"*\"]"
  }
}
Last changed by 
Rootul Patel
https://www.rootulp.xyz/
0
1
128

Read more

conduit-3

Celestia testnet with:

Jul 12, 2024
Celestia Hackathon

Original Data Square (ODS) visualizer

Mar 20, 2024
Discourage memo usage

Discourage memo usage by modifying two auth params.

Jan 23, 2024
Gas Repricing

CIAS is a project that applied inscriptions to Celestia. Instead of using blob data, they used the memo field.

Jan 16, 2024
Read more from Rootul Patel
Published on HackMD