The first thing I need to say is that Robin from our team is going to have a more detailed write up on this topic.
I will be submitting this forum post and Robin’s forum post to the ICF and to AIB in the hopes that both organizations will delegate only to validators who own their own machines from here forward.
it is entirely unsafe to operate a validator on any shared tenancy machine (AWS, gce, and any cloud virtual machine)
This has probably been true since the rowhammer attacks, but it seems that downfall makes clear what many of us have long suspected. Everything about cloud scale virtualization and shared tenancy computing completely inappropriate for the blockchain space.
You can find more information at
- Liquid staking protocols
- Family offices
- Individual large holders of atoms
In a proof of state network it is folks like yourselves who secure and govern the network. Somebody like me is only able to bring awareness.
I would like to call on our community’s whales to protect the network by migrating stake.
Sometime today I should have produced a short list of validators that notional delegates to ourselves and has specifically white listed for this issue, the whitelisting process will consist of a phone call and gathering data about systems. We can’t be certain, but personally I think it is much better than accepting known security problems.
Please don’t trust it, SGX is a fundamental flaw. Run. The end.
For more information please see:
Actually in this case, I believe that this is true. This is not happy news, it is true news. I think that validators incapable of running their own equipment should leave every cosmos network.
I think that validators who insist upon shared tenancy or are unwilling to attest to using equipment that they own, or are non-communicative, should leave as well.
I will probably be making a governance proposal out of this but I want to make very clear that it’s not something that we can take coercive action on. I think that this governance proposal will be in an advisory format. And what we will be looking for is for the community to approve the advisory.
You don’t know if it’s been applied.
Also right now it hasn’t been released. Downfall is the latest in a series of very serious problems that have to do with the processes that we created for multi-tenancy in cloud systems. These processes have time and time again shown to be unsafe.
We did not come here to be some weak ass proof of stake. We came here to win. If you want weak ass proof of stake, go somewhere else where people don’t discuss fundamental security problems and attempt to take action.
The rest of us are going to work on winning.
If you have an MPC horcrux system, but all signers are in the cloud, then you’re vulnerable to downfall.
If you have a tmkms system and your signer is in the cloud, you’re vulnerable to downfall.
Firstly, you’re likely should not say that you are vulnerable publicly. The reason for that is not to protect your delegations, but instead to protect your keys. If an attacker could determine where you host, they might be able to get onto the same machine as you and therefore get at your keys.
Proposal 104 on the cosmos hub funded notional to do security work for the cosmos hub and I believe that helping validators mitigate downfall Is in scope for that funding.
So if you are vulnerable, and you would like assistance moving to exclusively single tenancy equipment, please contact me at Twitter.com/gadikian
Credit for finding the vulnerability to https://moghimi.org/
Credit for tweeting about issues with thinking sand to @zaki_iqlusion
… Credit to any whale who makes a major redelegation pending.