Murisi/masp ibc replay protection using txdata on 0.39.0

[murisi]

Describe your changes

An attempt to address issue #3300. The approach taken is to include the IBC receiver in the pre-image of shielded Transaction outputs. More specifically, the following changes have been made:

• The target of outgoing shielded actions is the hash of the IBC receiver (plus a 1 byte tag indicating an IBC recipient)
  • For non-IBC receivers, we just prepend a 1 byte tag to the target Address indicating a non-IBC recipient
• Modified IBC transactions to use the raw integer representation of amounts rather than the human readable decimal representation. This involved:
  • Modifying the client to be able to derive the denominations of IBC tokens. This is done by essentially looking up the base token corresponding to an IBC token and finding the denomination of that
  • Making the protocol return no denomination for IBC token instead of a zero
  • This was necessary because MASP uses raw amounts, so we need to make sure that MASP-IBC computations utilize the same units
• Modifying the MASP validity predicate to check MASP transaction inputs and outputs against IBC packets. This involved:
  • Deriving the token Address that corresponds to an transfer PacketData and checking that the transparent inputs and outputs use that
  • Checking that the transparent outputs of a MASP Transaction go to the receiver stated in PacketData in the case of an outgoing shielded action
  • Checking that the transparent inputs of a MASP Transaction are the IBC internal address in the case of a refund or an incoming shielded action

This PR was derived from merging Namada 0.39.0 into #3406 .

Closes #3300

Indicate on which release or other PRs this topic is based on

Namada v0.39.0
Patched Hermes 1.8.2: heliaxdev/hermes#34

Checklist before merging to draft

• I have added a changelog
• Git history is in acceptable state

[codecov]

Codecov Report

Attention: Patch coverage is 1.71149% with 402 lines in your changes missing coverage. Please review.

Project coverage is 53.77%. Comparing base (879a326) to head (7ff94bd).
Report is 4 commits behind head on main.

Files	Patch %	Lines
crates/namada/src/ledger/native_vp/masp.rs	0.00%	285 Missing ⚠️
crates/core/src/masp.rs	0.00%	41 Missing ⚠️
crates/sdk/src/rpc.rs	0.00%	35 Missing ⚠️
crates/sdk/src/masp.rs	0.00%	10 Missing ⚠️
crates/vp_env/src/lib.rs	0.00%	10 Missing ⚠️
crates/ibc/src/storage.rs	0.00%	8 Missing ⚠️
crates/core/src/token.rs	0.00%	5 Missing ⚠️
crates/node/src/bench_utils.rs	0.00%	3 Missing ⚠️
crates/shielded_token/src/conversion.rs	0.00%	2 Missing ⚠️
crates/ibc/src/actions.rs	0.00%	1 Missing ⚠️
... and 2 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3409      +/-   ##
==========================================
- Coverage   53.92%   53.77%   -0.16%     
==========================================
  Files         317      317              
  Lines      107575   107807     +232     
==========================================
- Hits        58011    57970      -41     
- Misses      49564    49837     +273     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[cwgoes]

The concept makes sense; I'm wondering if we can clean up the ChangedBalances calculation somewhat - it's very hard to follow.

[cwgoes]

Should this function be defined in the ibc crate instead, and imported here? Seems like we might want to use it in multiple places (and I wonder if it is in fact already defined somewhere...)

[murisi]

You're right, this function is already implemented in the client (where the queries are sent to an RPC node). I'll investigate whether the protocol version here (which reads storage directly) can somehow reuse this logic.

[murisi]

I've discussed turning this function into an RPC endpoint with @tzemanovic . Doing so seems suboptimal because this function is a essentially a heuristic for guessing IBC denominations from IbcToken hashes based on the results the protocol has cached so far. Also it seems to me that somehow using generics to share this logic would be overkill for this limited issue. Do you think there's a way to eliminate the use of this function in the MASP VP @yito88 ?

[cwgoes]

Could all these functions simply be exported by the ibc crate? Also, could they be combined into one which takes all the state changes and returns the ChangedBalances for this transaction which the MASP VP needs?

[murisi]

Moving the ChangedBalances functions into the namada_ibc crate is problematic because those functions depend on the namada_vp_env crate (which itself depends on the namada_ibc crate). The latter dependency is due to those functions doing pre and post balance reads as well as IBC trace reads and packet commitment reads from storage. I suspect I'd have to restructure these functions in order to reduce their dependence on validity predicate functions first. Should I attempt restructuring those functions in this PR?

[cwgoes]

(discussed offline - let's do this separately)

[yito88]

We could generalize apply_send_packet for Transfer and NftTransfer

[murisi]

Agreed. I was just a bit reluctant to do this now because the NFT E2E tests are not a part of the tests crate in the Namada repo and require some additional setup which I've not done yet. Do you think you could get this done more quickly/efficiently than me and open up a separate PR to generalize Transfer to NftTransfer? If not, then I can start working on this...

[yito88]

I hope this could be helpful: #3422

[murisi]

Brilliant, thanks! Did you manage to run the NFT E2E tests on this? Just want to clarify #3409 (comment) , then I'll merge this in.

[yito88]

To be honest, I didn't try the NFT E2E test. I will test it after testing fungible token transfers in this PR.
Also, I'll release the updated Hermes for this PR to test in CI.

[murisi]

Ah, I see thanks. I've partially applied #3422 where it pertains to determining a token Address from a packet denom. However I just wanted to clarify whether or not logic to receive NFT messages is missing before applying the rest of the PR. See https://github.com/anoma/namada/pull/3422/files#r1645836855 . Thanks.

[murisi]

@yito88 For lack of time could we include this NFT support in the next release after the one today? If so, did you get a chance to test the fungible token transfers in this PR? Were there any issues that need urgent addressing?

[cwgoes]

Are we sure that the token in this case is really the denom that we're looking for?

[murisi]

See #3409 (comment) .

[cwgoes]

Why do we need to know the owner to query the IBC denomination at all?

[murisi]

I need to investigate this. For the purposes of validation, this function almost exactly mirrors the computation done during the construction of IBC transactions in the client. Compare this to

namada/crates/sdk/src/rpc.rs

Line 1406 in 08e5664

/// Look up the IBC denomination from a IbcToken.

, which is invoked at

namada/crates/sdk/src/tx.rs

Line 2583 in 08e5664

rpc::query_ibc_denom(context, &args.token.to_string(), Some(&source))

. cc @yito88

[cwgoes]

@yito88 can you clarify here? I'm quite confused about this

[yito88]

query_ibc_denom is for looking for readable IBC denom with IbcToken hash.
Using an owner was to avoid looking all IBC denoms up when the balance query didn't require --token. (Now the query requires both the token and the owner. The RPC function is left for now.)
I think we don't need the query in MASP VP because the IBC denom should be in the packet and the token address can be calculated from it.

[murisi]

For context, the token address for a receive packet is computed here in the MASP VP: https://github.com/anoma/namada/blob/4de6577c73e223504b0fcb226257ef7b85e248a7/crates/namada/src/ledger/native_vp/masp.rs#L483C25-L483C55 . This computation was designed to produce the same shielded token as the one produced by Hermes, which can be found at

namada/crates/sdk/src/tx.rs

Line 3505 in 5cc23b4

// Need to check the prefix

I think we don't need the query in MASP VP because the IBC denom should be in the packet and the token address can be calculated from it.

Thanks for the clarification @yito88 . Would this same reasoning apply to how Hermes derives the token from the IBC denom (also using query_ibc_denom and received_ibc_token)? Or is the context of the Hermes computation somehow different?

[yito88]

query_ibc_denom looks stored IBC denoms up. received_ibc_token returns the IBC denom to be minted/unescrowed. Hermes doesn't derive the token. I think you meant gen_ibc_shielding_transfer. It uses received_ibc_token because Hermes will attach the shielding transfer for the receiving token.

[cwgoes]

Is there a reason we can't just construct the path directly and read from it (instead of iterating)? What data are we missing?

[murisi]

We're missing the sequence number. Also, Yuji suggested a different approach:

packet sequence can be obtained from the state with read_pre and the key next_sequence_*_key because the transaction has only one IBC message.

[cwgoes]

Ah, I see.

[yito88]

I think we could make it a bit simpler because we can assume that the validated transaction has only one IBC transfer.

[grarco]

I guess the idea here is to mock a balance change to an address that we are not aware of on this chain (based on the ibc msg) so that then we can verify the matching between this ibc msg packet and masp transparent output with validate_transparent_output, correct?

[grarco]

Also, are we validating the optional ShieldingTransfer that the receiving chain gets? I see that this message is built in build_ibc_transfer and we also link the hash of the unshielding masp section of the source chain. The method execute called by the ibc native vp returns this data but it seems like we never use it. This is probably a question for @yito88

[murisi]

I guess the idea here is to mock a balance change to an address that we are not aware of on this chain (based on the ibc msg) so that then we can verify the matching between this ibc msg packet and masp transparent output with validate_transparent_output, correct?

Yes, exactly.

[yito88]

The method execute called by the ibc native vp returns this data but it seems like we never use it.

Right, IBC actions never use ShieldingTransfer.

[grarco]

@yito88 is this ok? Do we have a way to verify that the relayer is indeed forwarding the correct ShieldingTransfer?

[yito88]

Ah, the IBC VP has to validate the ShieldingTransfer for the given IBC message.
I'll open another PR.

[cwgoes]

@yito88 can you clarify here? I'm quite confused about this

[cwgoes]

Ah, I see.

[cwgoes]

(discussed offline - let's do this separately)