IBC memo spamming incident report:
2024/06/17: cosmoshub-osmosis (0-141)
spammed with over 30k packets with large memos
https://x.com/gadikian/status/1802637809871990908?t=YTOaZ4Qr8XmowwJhazn7IQ&s=19
https://www.mintscan.io/osmosis/tx/05328B81D051D0E71D4DB530665F97D83FA5286404E6677B39DA0B234C6FE7B2?height=16843794
characteristics of the txns: large size, relatively low gas cost
- ~2M GAS
- ~431.23 KB total tx size
- memo: 5.15 KB
"{\"forward\":{\"receiver\":\"Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.Jacob, you aren’t a security researcher. This is a long standing issue in the codebase with many existing mitigations. Your months long campaign of self aggrandizement using threats holding yourself up as the only hero helping is self destructive and transparently self serving. Your refusal to work with core teams in a productive manner is part and parcel of a pattern of destructive behavior that we as a community cannot continue to countenance. Please take this conversation to another channel.\",\"port\":\"transfer\",\"channel\":\"channel-569\",\"timeout\":\"12h\",\"retries\":10,\"next\":{\"receiver\":\"cosmos1h3pnkamn8wx6sxv09ehw64efwecx2fq28tl8rx\",\"port\":\"transfer\",\"channel\":\"channel-0\",\"timeout\":\"10m\",\"retries\":2}}}"
ibc receiver:
up to 11 receivers, bech32 encoded string data (PFM does a bech32 validation), each with ~ 7.82 KB
"bitsong1xqmrqepjx93xyv35xa3njvpsv3jkzdnz89jrsdtrxg6rqdfcvesnvcmzx43rzwpjx43xzv3n893xvvm9venxgdfhvejxyvmxxscnzefhxuunsdrz8yenvdtz8yenzdejx56kgvmz89nxzvrzxsmrsenx8ycrgef4v4jr2vrrvyen2vphvdjn2cenvgcrgdnrxycrzepsvgerjdfcxfjrwdtpxcmnydtzv3jrxvtyxvmr2wfexscnxce5v5enxe33v93rxdryvy6nqd3svcekycf3v5ukgdryx5mxycekxdjrxwphx43r2vtxvcenywpev5unjvp5xc6kgerxx5crydp3893xgvmrxajngvp4xyenwctrvesnzcm9xqengcfcxscrvvtrvv6kzep3xgekzetxvccnzdrxx3jx2d33xc6kvcekvy6kvef3vgunsetxx5mkxctyvfnrgwfexyunzvpk8q6kzwtpvg6rzetpx43kxwrzvsuk2ve3vcmnxwpsxser2decx4jnqe35v5mkxcm9vv6nsdf5xsmxgvnxxuerjwpexejnvcnzxgmk2cfhxsenqwp3xd3nsep5xycxyvtzxuukydejv9skvv33xsunyctrvvur2vry8qcnscmyxumrxdtyxyen2wfexd3n2dpjvgexgvfkx9jn2vpevcmxyvnyv33rvd33xaskxwrpxpsn2dm9v93kycfjx9jrwvny8qcr2erxvccrywt9xpsnsv35xf3n2vmzv5mnxepk89jxyceevc6r2efjxvmkywp4xejkgceex56nxctr8qmkgdmxv5exvvrpvfsnsvfjx5cn2wtyvsenjenx8y6ngv3nxyck2dfcv5enzdrrve3kxd33xf3x2de3xa3nqv3exqmnqwrpxgunwctzxu6xzcehxfskvdfhvymr2efkvycrjvtxxgckgdp5x4jr2vp4venrqdenxyurjdfe8qcnxwrpvgenxdehv4skyvfjvdjrgde5xucrvdfjvd3kye3ev56n2d348psnzcmyxqcrvd3cxq6rqdehx5urswp4xasnjcfjxcmryetxxenr2vrxv5crydejxvekzceexcukgvfev43rvcmxvejnwer9x5urjvpn8yenwwf4xsexgvfkvf3nseryvsckzerp893xgc3489jxydfexgeryces8q6n2epnxuekvenxx4jxxerp8yuxvcfkxycxzdrpvg6k2dpsxfsk2d3cxajr2ve5ve3rwvmxx9jnwcenx43nzd33xgcxycen893nwcfjxcurxvf5vsmrgvp48q6xgwrzxe3x2dphvyux2enyx5cnge3j89jkxdekvcunscmpxesnxenyvgmrgdpjxscnqwtyvf3nxve3v9nrsv3jxuerzvtpvejr2vtyxvunwcek8yukgceexd3nxdryxc6xgwfcv43rwdp5xqmkvepk89nrvcm9vg6ryvmp8ycrgdpc89nx2ep3x33rvvfsvy6rqdpjvgmnjde3xg6r2vmr8yenjdpsvcexydfk8y6xgcfkxf3nsdmxvcmx2dekxfskyc3s8ycrscenxd3njvpsx9snsdfnxumnxepcxenrsdfsvvmnvdfnv93kxdenvejkgd3sxpjxvvpcx3jr2dpj8p3rqdfcvyurqet9x9jrwef5xyurze3ex3jk2vfnxdjrvefkvvmkvv33xyckgcnpx5unqetrvdnrvve4xy6rswr9xccxxdp5xe3njwt9xymx2dnr8p3xyvmzv4jrjwfhv3jkgcfsvejk2cmp8yckverr8pnxyctpvgexger9xymrwcek8yengdfkv43x2df5xe3xxdfe8pjnsvnzxanrwc3exfjrjetpvscxge3hxymxzveeve3rywpjv93kgetyxd3kzce3xqcnzv3sxcmk2wp5xuuxvctpvscn2vm9vccnzdrxxyekxetzvgekgvpkvs6rwcfnxf3nsvek8qcnzef4vycr2ve4vgekgwphvcmn2ctzxucrqdfs8yckxveev5enywpe8pnxvwtzxsmnvdtrxumrqwpcxd3x2c3sxgmrgerpx5cxyvph8quxxwpnvvunswtpx9nxvvt9vsurvd3nvymxydnz8pnrswf3ve3nyvnzxymk2erpxp3xgcek8q6rsv3sv3jnxvt9vv6rvcejvf3nyefkxccnzvtxv33nqwfhx33rwdf3x9jngwrzxyenyd3hxv6rsce48pnryve5vgergdpsvvuxycfhvf3nserrxfnxyvf3vv6xzd33vv6xzvpkxgmrqv33v56r2etrxvmrqenxvc6xycfhvvengdp3vcmnjcn9vguxyv3sxanrycnz8qckxdenxuunvc3sveskxvesvcungdtyxsen2c3kx33nycmzxyurjve4v9jxyv3svgunvc33xpnrqenpvsexgvphxvcr2wf3v5unxvn9xpsnxd33v3jkxenz8qukycesxyuxgvmxxqcrywtyxsersdnzxc6n2epsxuur2wtr893nyv338quk2cnxv5ukyvtpxumrsdeh8p3x2c3hxymxvepex43xvc3expnxzwfs8qmxxdf3vcuxyvnpxdnxxv34xdjnxwp5vccrsefnxgcrzvmy8yunywpexgurxvpkxvunvwfevgmxgvt98qenycfev56kgefc8yunjc33x56kgctrxscnyd3cv5mnjdeevcmnwepev43rjcfjxy6rye34xqukgwfex93kvctrvycrgwfkvvcxvc3evfjnjvfcxf3kvdrzv3nxxvmrvycn2d35xycrjd3n8y6k2ve5vg6kgvtzx4snzdmzxe3xxetxxpjnsdfs8yenscty8ymkxcehxvcxgdekxv6ngwpkvg6rxwphv33rzdpkxv6xycnyvvekxvpcxgmrsdf4xsmryde48yunsenp8qckxwfkxajrzefjx43nywfjxu6r2veex5erqdph8quk2vp5vgersvesx4snwe3j8qmnjwp4v4jxxe3hxfnrjenpxucxyd3sx93rqefjxumrydpsx5mrydesvgmnxvf5xgexxefcx3jxzwrxve3rxdfcv43nsetrvg6rxvtzvfsn2enrxu6rgv3exyckzd3jvsckyctyv33rxdmz8yurxwfcxq6nverzxcmxzdrxvdjrwdfnvgmrxdrp8psn2dnzx4jrxdp3vy6rsdeev5mkycnpxdnrvv338yungwry8q6rzv3cvcenxwrr89jkxd3kv56ngefevvurjctr89jrxvtpxcmrgvn9xe3kvvp3xqmrvdt9vvunxwfnxqmrvcfhxa3rzdpcvv6rzefcxqmkzde3v5crjv3cx43rxdf3xyex2dtr8ymx2wfhxg6rsdeexgekgde5xcmnzdpk8ycnqvt9xscr2enrvenrvdn98qunsdnxxqmrwefkvscxycfsx4jrjc34xdnrsepjx33n2dfe8ycr2de3xguryv3kvcmkyv35x4jrscfex5mn2wf4xvmxxcejvcursdfn8ycrzvt9xvuxgepjv56nxc33vvcnjvpe8qurvc3cx5mkyd3kxvcn2enpxe3kvvenvf3nqvenxvcxgdpc8q6nvcnpxgcnqvenx33xydpexu6ngvmzxvurswpn8qukxcmz89nxxenpxuukyvr9vyurgwrpx93xgdfs8p3nqvn9xccxxwtxv9nrvwtzv33nqcehx3jk2cfnvcmnxetxv9jn2de58qmxgeryv9jngvf5vvexgef3vy6xxdtrxqcx2cfe89jkvdtxve3kzdpj8pjkxvnr8qmryden8yen2et9xc6rzdecxyuxgdfhxvcngvnrxvun2de3vsenzwrxvsmrwctrvcen2vmzxgergvf4vdjrge3kxccxvc34vyuxzerpvg6xxdnyxpjkgdf3x4jnzenyx3nr2vf5xejnqwpjxfjkzep5x43rsdrzxpsk2v3hvg6ngefkxfskgc3n8yer2cf4vejngdm9xdjkgefkx4jx2cmyxp3kzcehx5cnzepjxvmkydpj8yengwpcx9snycecv33xzep3vsenyefevvmkxvtpxfjrgwryxcunswfjxsuxgefnvgmnzdfkxvmkzvryv5cryet9vymkyvm9xd3nve3svg6rwde4x4nxgd3cx43rzdr9x5mrswp5vvurwepnxp3kydrrx43r2d3kxccrxctp8pjxxvecvgurxe3exymxxde4vg6rsvfs8pnrydtyv4skxcfhx5mrzep5vcurzdtrv9nxzvf48qmxze3sx4jkxetxv5mn2e3e89jkgve3xv6ryc3cxajrgcecvenrwdpcxajnjce4vgurzenyxy6nsdesv5ekgwtzvd3nsdm9vccnwvekv43xxdeh89jnzve5xp3nxv3jxp3xzdfhxejn2epcvvurscekxdjnzvnzvyurqcfk8pjnwepevyex2dejx3nrge3s8qcr2c338p3ryvpsx4nx2vrr8ycngcmrvvuxgd3h89jnwctzxver2vryxesnwerzx5mxzv3jxv6rgvenvguryen9xc6rvden8pjxye3h8q6rqwfkve3kyvrzxpjr2ve58yckxdfsxpjxxwfsxcek2vf3vvuk2wp5vf3nqd3nxvcnwef58qckgdehxycx2e34v5erqvmp8ymrwefsvsmnsenzxesngvfev56xyvnyvvmkvcmxv3skxdf4v33kxerzxqmkvdpcxa3rqdrzxdsnydenxvmnvvnrx5mnydfhxd3xgvm9xsersdtyvc6rxvrxxcex2ctrx5uxvd3k893ngenr8yckyef5xvmxyefh8ycxgvpkvccxgerrxpjrsefhvvergve4xc6rzvmxvfjrvwfevcex2cenvf3njvmzvfjkycnyxgengepkvy6nsdmyx9jnxefcxanxzcfhxpjnwwtyxsexxepnveskxcf4vgmrvdphxejnwdfk8yuxydf5xgeryd3nxp3rqvmpxsmxxcfhvgekyenrxuekgcfhvdjk2wrzxcukvwp5vgck2wtzxuerxd3kv9snyd34v4skgdr9xuurgdr9x3nxxdnyx93nxv3s8quryvenx33xvwp4v93nywpsv4jrqcf5xeskvwf4x43kvwryvycx2e34xvuk2e34xajnzde3xy6kvdp4v4nryctxxajrzcnzxpjnvvmpvvcnqdfhxvcxgcm989jrwc3jve3kgvpcxy6xzdrpvgurvwfevyukxd3kxgungvfkv5mxvc34xf3kzv348quxgce4vscrxetzxsenyep4xyex2etzxsmnqe33vyungc3nxuuxvwf5v9nxzd35v4jnxv3cvyukvwp4xyurgvtpxvmnjv3jxq6nxvnxx4jnvc3hvycxvdrxve3rsvejvcerjwrxxccrjdp4xvuxzvm9xvmnyvfh8yckyc3cxqurxcmyxa3rgvpexs6k2d3sx3jn2epkxp3nywtp893x2wpsx5cnjcnzx43nxv3jxc6xzdehxu6xgwpe89snzvfsve3kxcmyv3nrxvpk8qerjc3hv3jkvef3v5mrswpsvsuxzcnyxpnrjwt9xpnrxvesxgenwvmzvesnjcmr8qmkvcf4xe3nwe34vdsnswtyxgeryvf3xsurxdecv3nrvve4xvukxcm9xfjnjvfkxd3xzc3nve3rwdfnv3skgdnr8qungvfnxejngvesxdjrgwtzxumnzcekv5ergcn9v5enxdn9vesk2wf3v3nrjdmpxy6kgvpcv43rgcnxvgunwce3x3jkgwtzvdsnsve4xgenqdpexcckgvtpxvmrqdtxxuunvctxvcunvv3hxqmnxvf4vscr2etxxgcrqv3cvg6rqefnxy6xvdecvcmrxdrr8yurzdphxq6rwe34xejxvdpj8p3kvdnyxgunvv3nvgurxwf3xvukyv33x5uk2cfkxa3ngwp3v5exvvphxvmk2et9xyexzvfexp3ryctpxuer2vtpvsckzctrv5erwepkxymnvc33vfjrzctrv93xxep3xs6xzvtpxajrye3j8y6xvdp4xq6nzveh8ycnwce5xucrqcec8pnrwcmxxcmkyve5v56ngvf4xdjrwe3jvc6ryvrzv4nr2v34vymrgvfexuunxvfexejkxvpkx4skycehxa3xyefcvdsnwen9xdsnxc3k8psngcmpvvmngd35vdnrwcenvgcxve34xccrqcf5vv6nwvpsxfjrjdrx8pjrserxx43xyvmr8ycx2vfkvsmr2vm9x56xxvpn8ymxxwpev5mnyerp8quxgd33v43n2dr98yukvd3kxejkzvfjxgcrvdenx4skgdpnxdnrqdnx8ymrgerzvf3kxef5xy6nvdmxx4jnswtzvycngvfcxuurve3svsuxvvf3xserwvmpvd3rgve3vcmkyvtzvejx2c3jxsukxc33xvmrsvp3xser2vmxv4jxzdmx89skzwfhvycxyvfkvsursetpx9jxzcecx5ukgvp4x5erzcf5vcmx2vfevyckzdeexasnswtr8qcnqe34xsckzcty893xzvesvgurze3nvfsnyctx8pjryvtrvfsnydmrxguxyve4x43nvcmxxqmnycm9v43x2desvgcr2enrvg6kzdpjxymkgcnzvfjrvdmrx5unwcesxf3rvvfjv3sk2vpexpjkxcehxf3nge3jx5enydesvs6xywrz8yurjefsvveryvnx8qunjc3exucn2epkxqck2cn9vsuxgvn9v5crgc3kvyexycmyvgmnvvp4xc6nswfnvfsnvetyx5uk2dm9x5ckxveexuukxcmzxq6ryenpvymnqefnvgekvce5vgmrzwpnxvuk2wt98q6rqcf5x93xxcn98pjrsdtyxdjk2vrpv5cnjv3svgmnvdecv9skvenyxqcngcnzx56xgdtrxyex2c3hvsurzvtxvsmnjctyxpjnwctzxcurqwfeve3nxd3ev4nrjwtzxscnwerrxymrsvm9xpjr2ef4vvengdnp8qurqcmrv33rzepkxumnydf4xqenjc3hxvmxvv3nvcexxdmxx4jrgvf48p3kgwp4xgux2vecxgenscmxxs6rswp5v5crqer9xd3kzdtpvfnryd3kx43rvwf3v5erqwr9x5cxvwtzvgengvfhxscxvcee8ymnxe3s893xycfcv3jrqdr9x9jnqvp5vfnr2cfsxejnxen9xajnsep4v4snvvm98y6rxcnyv93xxwfhx33xgwp4xvmxyvfnvsmrjcejvdskzdr9xenrzwtpvcur2v34v43kve3kvyex2wf5xvmr2epex4jkvet9v3snvvf3vs6rwwtxxejrvdn98qmkyv3nxgerse33venxycf3xcuxxvpcxcexxvnpxpjxzvpkxccxgepev5urqdtr893rjvrxv43njvp4xf3xgcnrxumr2cmyvvmn2cmyxqmrzdtpvccnxenzvvurxvp3xymnqdmpx3jrqwf3xp3rqdenvc6kzerrvf3x2d3cvyuxgwryxymx2d3cv56xvcenx43rzdpjxquxxdfex56kydfjv5unyefnxcunzwf5vscxzdrrxcunjenpxv6nvvf4xajkxc3sxyck2ctpxqmnzvph8quxxwf4ve3njdr9xquxxvf58y6nxdnyxgcxzv3jvgmxvdehx5ux2ctyxqungcmx89nr2wtzxymkzvp48p3ryc3kxcuxvdfkv9jnve3nxumnxwry8qmnjd35vcerjwtpvgcnje3sv5unvepexgmxxwfjvfjx2dm9v4jnzdp3xcenyetxxy6kyefcxyenjdt9x4jx2epexucnwvfsxqukvvp48q6rwwtxxpnx2df4vymnvctzv5un2drxvgmnvenrv5ukydf5xpjrwwt9xd3rzvehxscnqctxxy6nqd3nxyuxxcmz"
This was able to significantly degrade network performance on Osmosis (by x3) for ~1h
We can filter packets in hermes
in various ways:
e.g. filter out all packets with
- a memo > 4kB
- a receiver field > 2kB
config.toml:
# Set the maximum size for the memo field in ICS20 packets.
# If the size of the memo field is bigger than the configured
# one, the packet will not be relayed.
# The filter can be disabled by setting `enabled = false`.
# [Default: "32KiB"]
ics20_max_memo_size = { enabled = true, size = "4KiB" }
# Set the maximum size for the receiver field in ICS20 packets.
# If the size of the receiver field is bigger than the configured
# one, the packet will not be relayed.
# The filter can be disabled by setting `enabled = false`.
# [Default: "2KiB"]
ics20_max_receiver_size = { enabled = true, size = "2KiB" }
^ this should currently suffice even for larger valid (user-initiated) packets using PFM / squid router / circle CCTP msgs.
bump max_gas to 100M for osmosis in hermes config
^ run these settings and channel clearing deactivated so new packets are handled.
💥 New Releases:
- ibc-go
v8.3.2
(https://github.com/cosmos/ibc-go/releases/tag/v8.3.2) - ibc-go
v7.6.0
(https://github.com/cosmos/ibc-go/releases/tag/v7.6.0)
v7.6.0
introduces size limits on the memo field and reciever field in IBC packets, back-ported from the v8 release line.