You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
let encoded_extrinsic = opaque_extrinsic.encode();
domain_stateless_runtime
.is_valid_xdm(encoded_extrinsic)
.expect("Runtime api must not fail. This is an unrecoverable error")
while the actual xdm verification is not stateless and involves runtime state like current channel nonce that is not included in the genesis state. So in the invalid XDM FP verification the is_valid_xdm will always return false, if there is a valid XDM the attacker can submit FP to claim the XDM is invalid and the honest bundle author will be slash, this scenario is not covered in the test unfortunately.
Looking closer, the invalid XDM is actually covered by the illegal tx FP, which is essentially proving the pre_dispath result of an extrinsic and the pre_dispath of the XDM included the XDM verification, moreover unlike the current invalid XDM FP, the illegal tx FP is using an execution proof which includes all the required state during pre_dispath, so the invalid XDM can be proved by the illegal tx FP and the current invalid XDM FP is unnecessary.
Currently, the invalid XDM fraud proof is verified by calling into the
is_valid_xdm
domain runtime API with the genesis state of the domain:subspace/crates/sp-domains-fraud-proof/src/host_functions.rs
Lines 340 to 351 in 3494834
while the actual xdm verification is not stateless and involves runtime state like current channel nonce that is not included in the genesis state. So in the invalid XDM FP verification the
is_valid_xdm
will always return false, if there is a valid XDM the attacker can submit FP to claim the XDM is invalid and the honest bundle author will be slash, this scenario is not covered in the test unfortunately.Looking closer, the invalid XDM is actually covered by the illegal tx FP, which is essentially proving the
pre_dispath
result of an extrinsic and thepre_dispath
of the XDM included the XDM verification, moreover unlike the current invalid XDM FP, the illegal tx FP is using an execution proof which includes all the required state duringpre_dispath
, so the invalid XDM can be proved by the illegal tx FP and the current invalid XDM FP is unnecessary.cc @vedhavyas @dariolina
The text was updated successfully, but these errors were encountered: