GoZ Updates #4: Phase 3 and The Saga of Deception Attacks

Avatar photo
Persistence liquid staking

We bring to you the fourth article from the “GoZ Updates” series by Persistence. In our previous articles, we talked about Phases 1 and 2 of Game of Zones.

With this Document, we hope to shed some light on the events and updates of Phase 3 of Cosmos’ Game of Zones.

GoZ Phase 3 Challenge

The main objective of Phase 3 was the penetration testing for the IBC protocol.

Teams were required to attempt and execute confusion or deception attacks against other zones.

Expectations from Phase 3:

The most important purpose of Phase 3 was to identify security threats in the IBC Protocol/implementation, but this phase also served as a Validation of the IBC Protocol itself.

Phase 3 was so invigorating that the participating teams had been preparing for this Phase even before the start of the competition.

Participants, observers, and organizers were excited to see what some of these teams had in store and we can gladly say that we couldn’t have asked for more.

Phase 3

INTEROPERABILITY- If you are a Cosmonaut then you have probably heard or used this term more than “Coronavirus” or “Social Distancing” in 2020.

With the windup of Phase 3 of Game of Zones, the Cosmos ecosystem has moved one step closer to achieving its goal of Interoperability. Phase 3 saw some of the teams put their best foot forward to perform penetration/ vulnerability tests on the IBC protocol implemented on Cosmos.

With this goal, we saw a bunch of very exciting deception and confusion attacks in Phase 3.

A high-level overview of the attacks we witnessed in this Phase of Cosmos’ Game of Zones

  1. Our friends at IRISnet found a problem that can be used to mint more tokens on the counterparty chain than what’s escrowed at the source chain. This can be done by repeatedly relaying ICS20 packets through Unordered channels. You can find an in-depth explanation of this Deceptive Relay and its fix here.
  2. The P2P team illustrated how a Deceptive Rootchain can trap your tokens.
Source: P2P Validator Twitter

What does it mean? It simply means that a zone which is Deceptive in nature can be used to steal a user’s funds.

To understand this consider a model of a real phishing attack in a complex state machine. A user who transfers funds on a deceptive chain cannot transfer these tokens back and cash them out on the origin chain. The user won’t even know that they have lost their funds until they try to redeem the tokens. It allows the Malicious Root token holder or the token holder on the deceptive chain to redeem these tokens instead of the original token holder.

3. The P2P team also pulled off a Double-Spend attack via a Double Sign.

Source: P2P Validator Twitter

Malicious validators could double-spend via IBC transfers using Vanilla Tendermint, Cosmos-SDK, and relayer software.

4. Regen Network’s Game of Zones team demonstrated how an IBC zone can be invaded by rogue validators who can then drain its Reserves.

This is possible only when an IBC Zone is operating a faucet with insufficient security in place. If a set of malicious Validators can find and identify such a zone, they can make automated requests to the faucet using IBC Protocol. This can help them in obtaining the necessary information to run a full node in this zone and eventually they can become rogue Validators and can even take over the compromised zone.

5. Regen Network’s GoZ team found a way to Invalidate Real tokens by Minting Fake tokens. This attack uses channel namings and creates fake tokens to mimic the original token to invalidate the tokens transferred from the hub.

Community Contributions

  • The Stake.fish team introduced the Cosmos Community to Tamagotchi Custom Zones. A set of Custom Cosmos Zones designed to help people understand IBC and how to use the IBC relayer while also having fun at the same time. The two zones used here are independent Blockchains. This demonstrates the potential of IBC.
Source: Stake.fish Twitter
Source: Freeflix Media Twitter

The potential use cases that IBC brings in the media industry are huge. Right from media creation, media management to revenue payout, IBC can be used to extract the best results possible. Freeflix Media & Cosmic Compass also demonstrated how IBC based NFT transfers work in their custom zones.

Source: P2P Validator IBC Demo
  • Melea Validator published a guide on how to create 2 Blockchains and connect them using IBC. You can check it out here.

Learnings from Phase 3 of GoZ:

  • IBC will have a massive impact on the way Blockchains operate. We have already talked about how IBC is a Game-Changer for Enterprise Use-Cases. With the participating teams coming up with Custom Zone implementations for NFT marketplaces, Media, Gaming, and many other use cases, we see Cosmos’ IBC Protocol bringing a Paradigm shift in the way Blockchains operate today.
  • Zones can act as a single point of failure for IBC. This was reflected by most of the deception attacks we witnessed in this phase.
    This is why we believe that “Hubs” will play a pivotal role in maintaining security. With IBC connections being comparatively expensive, most connections will be through trusted hubs. This highlights the importance of the Hub and Spoke model which is capable of isolating each zone from the failures of other zones
  • With Bridges already being built between some of the most prominent Blockchain Networks, we can truly see Cosmos’ vision of an Internet of Blockchains come to life.

The Official GoZ Closing Ceremonies, Live Stream will be held on Wednesday, June 10th at 7:00 pm UTC

For more updates, please visit https://goz.cosmosnetwork.dev/

Welcome to the Internet of Blockchains!

About Persistence

Persistence is a Tendermint-based, specialised Layer-1 network powering an ecosystem of DeFi applications focused on unlocking the liquidity of staked assets.

Persistence facilitates the issuance and deployment of liquid-staked stkASSETs, allowing users to earn staking rewards while participating in DeFi primitives, such as lending/borrowing and liquidity provisioning on DEXs.

Persistence aims to offer a seamless staking and DeFi experience for PoS (Proof-of-Stake) users and enable developers to build innovative applications around stkASSETs.

Join Our Movement

Twitter | LinkedIn | Telegram | YouTube | Reddit | [email protected]