-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(rln): nullifierlog vulnerability #2855
Conversation
waku/waku_rln_relay/rln_relay.nim
Outdated
|
||
var epochsToClear = rlnPeer.nullifierLog.keys().toSeq() | ||
epochsToClear.sort(compareKeys) | ||
epochsToClear = epochsToClear[0 ..< countToClear] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as it is, it should work fine now.
however I'm having second thought about cleaning the nullifierlog this way. it has some implicit knowledge that can be error prone.
perhaps a better way could be. which epoch are we at? x? well, remove everything in the table that is beyond x-epochGap.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i like this idea, O(n) vs O(nlogn) not that it matters though because the nullifierLog will be small :)
waku/waku_rln_relay/rln_relay.nim
Outdated
# dirty should never happen | ||
return pubsub.ValidationResult.Reject | ||
# insert the message to the log (never errors) | ||
discard wakuRlnRelay.updateLog(msgProof.epoch, proofMetadataRes.get()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the key here is that we shouldn't update the nullifierlog if the message is wrong (eg proof is invalid). otherwise anyone can "DoS" the nullifieerLog, forcing cleanups and making it useless.
waku/waku_rln_relay/rln_relay.nim
Outdated
@@ -280,7 +280,7 @@ proc validateMessageAndUpdateLog*( | |||
return MessageValidationResult.Invalid | |||
|
|||
# insert the message to the log (never errors) | |||
discard rlnPeer.updateLog(msgProof.epoch, proofMetadataRes.get()) | |||
#discard rlnPeer.updateLog(msgProof.epoch, proofMetadataRes.get()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this function is called even in invalid messages. see other comment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
or maybe a better way use isValidMessage
here and only updateLog
if valid.
You can find the image built from this PR at
Built from 8863572 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks!
* CHANGELOG.md add info for v0.30.0 * fix(rln-relay): clear nullifier log only if length is over max epoch gap (#2836) * chore: add TWN parameters for RLNv2 (#2843) * fix(rln): nullifierlog vulnerability (#2855) * chore(rln-relay): add chain-id flag to wakunode and restrict usage if mismatches rpc provider (#2858) --------- Co-authored-by: Aaryamann Challani <43716372+rymnc@users.noreply.github.com> Co-authored-by: Alvaro Revuelta <alvrevuelta@gmail.com>
chore: Update master from release v0.30 (#2866) * CHANGELOG.md add info for v0.30.0 * fix(rln-relay): clear nullifier log only if length is over max epoch gap (#2836) * chore: add TWN parameters for RLNv2 (#2843) * fix(rln): nullifierlog vulnerability (#2855) * chore(rln-relay): add chain-id flag to wakunode and restrict usage if mismatches rpc provider (#2858) --------- Co-authored-by: Aaryamann Challani <43716372+rymnc@users.noreply.github.com> Co-authored-by: Alvaro Revuelta <alvrevuelta@gmail.com>
nullifierLog
. Now instead of counting elements in the table and removing when >epochGap
, we ensure that they correspond to the current epoch +-epochGap
. Anything than that we remove. This protects the node from messages arriving out-of-order.validateMessageAndUpdateLog
. ThenullifierLog
table was updated with new epochs no matter if the message was rate-limited or not, and no matter if the message even contained a valid proof. This allowed an attacker to attack thenullifierLog
table, that in conjunction with the previous bug caused rate-limited messages to be accepted. The attacker at no cost could fill the table with unused epochs, bypassing the rate-limit protection.