-
Notifications
You must be signed in to change notification settings - Fork 309
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: cw-ICS721 cannot mint tokens received. #501
Comments
@giansalex thanks for the detailed write up of this. i appreciate the simple example, and link to the code. i'll get to this early next week likely. |
reposting my thoughts on this from the Discord: I feel that the CW implementation is behaving correctly and in line with the spec here. the state machine is:
the SDK module approach is:
the trouble with this is that the NFT is destroyed before it is confirmed to have been transferred! this feels like an invariant violation to me. imagine if other code performed an action when the NFT is destroyed - the author would probably be surprised to learn that the NFT can be re-minted. we are building a bridge, so in my view we should prioritise correctness over all else. additionally, NFTs are not locked by the CW approach, you just need to self-relay your ACK, in addition to the packet. If you do that, it will happily burn the NFT on completion. |
https://github.com/cosmos/ibc/tree/main/spec/app/ics-721-nft-transfer#packet-relay
According to this, it is understood that the token must have been burned when it was sent. |
@giansalex, what's your opinion on how the spec should work? it feels strange to me to allow transferring a NFT that has not been ACK'd as being received yet. |
This is a heavy bug and exploit. Check my explanation here: #705 (comment) The issue you are pointing out is due to congestions by IBC messages relaying issues, where ACK success and fail messages are delivered very late due to mass amount of packets (e.g. by vector attacks). IBC though guarantees sending ACKs - no matter how long it takes. Only solution here is to self-relay or wait :). But for ICS721 transfer it is good that NFT is locked until then. |
can you demonstrate this exploit on the chain? |
sorry, I had not seen this. I agree with the current implementation, generally nft-transfers will be successful, ACK+error and Timeout events occur rarely or exceptionally (in testnet occurred due to a malicious contract attack). it is also more optimal for the relayers, since the gas consumed in the NFT burning will be charged to the user (nft-transfer Tx) |
Summary of Bug
That happens when a token is sent in a second flow and the
cw-ics721
has not received IBC Acknowledge in time.e.g:
i -> j
(OK)j -> i
(JUNO does not receive IBC ACK in time)i -> j
(JUNO cannot mint the token on IBC Recv)Looking in the code, this occurs because
cw-ics721
burns the token sent to the remote chain in IBC ACK event, but due to spam it does not receive the ACK in time.https://github.com/public-awesome/ics721/blob/main/contracts/cw-ics721-bridge/src/ibc.rs#L172
Steps to Reproduce
Expected and Actual Behavior
Additional Context
The burn event must occur at the time of transfer, as does
nft-transfer
module.https://github.com/bianjieai/nft-transfer/blob/v1.1.1-beta/keeper/relay.go#L259
The text was updated successfully, but these errors were encountered: