Asa-2023-002 was inaccurate


The issue that I called P2P storms is genuinely complex. Basically under load, Cosmos chains sometimes stop making blocks.

I have released a test tool, called hardhat

And a set of mitigations called placid

Also I believe that this issue was very properly addressed by the osmosis team in recent months. And I know they got help from the comet team and I’m appreciative to both for getting the issue fixed.

But I really do not appreciate the fact that amulet used my company’s name without my permission in their report, which ultimately seems to have been inaccurate.

I challenge the notion that the code that I wrote was actually run, because when it is run, the issues are very apparent, and while large block size does play a role here, it is not the role described in the security report from amulet.

I do not think that my scripts were ever run by the informal systems or amulet teams. Because if they were run, very different issues would have been exposed.

We created a document with distinct issues leading to an inability to come to consensus:

Issues that we reported are genuinely broad and genuinely challenging to track down. One of the things that I could have used while reporting, was actual assistance in triage, but that really didn’t happen.

I’d like to see us handle reports better.

I could post all the wild stuff that happened on the way, but maybe that’s not ideal. Maybe I should just say directly, that security process reform is needed, and if folks like @ebuchman do not understand why that is, realize that things won’t change, and reorient myself according to that reality.