ICFormuletBananaKingBerry Is something that I first reported two years ago to the ICF. It is named ICFormuletBananaKingBerry because there were three opportunities to stop it from going public and we have a berry naming convention in cosmos.
Security reports related to ICFormuletBananaKingBerry
- 2021 - Notional Labs - p2p from client updates on Sentinel reported via hackerOne
- 2022 - Luna’s crazy missed block situation beginning may 8th 2022 (notable enough not to need a report, I hope)
- 2022 - coldy reported Banana King via hackerOne
- 2022 - Notional Labs reported Banana King via a slack channel called advanced-ibc-issues
- 2023 - Notional Labs reported p2p-storms via a slack channel called invalid-block-parts which was later renamed to p2p-storms
- September 21 2023:
- Jessy Irwin joined this channel by invitation from Jacob Gadikian
- She left, and then the Amulet twitter account straight up subtweeted it
- September 21 2023:
- September 23, 2023 - Notional Labs submitted a google doc to Amulet titled p2p-storms via security@interchain.io
- we were informed that wasn’t really an email and wasn’t a valid submission
- September 25, 2023
- finally send an email with a link to the google doc
Holy cow, that is awful.
We have seen ICFormuletBananaKingBerry all over the place:
- Game of zones in 2020
- Sentinel (DVPN) in 2021
- Luna Classic 2022
- Stride in 2023
By looking at it, I finally figured out how to recreate it, but unfortunately another reason that it has such a complex name is this thing called banana King, that’s another thing that ICFormulet didn’t address, I’m afraid.
Please understand that ICFormulet is:
- interchain foundation
- Informal Systems
- amulet
Anyway it needed to have all of these names because there are three organizations responsible for publishing it while that was still quite dangerous and there were no mitigations and they had not used the reproduction information that I had provided.
Additionally it is because ICFormulet ignored security reports on another issue called banana King. So in total we’re looking at like 6 instances of completely ignored reports and I need to say that this is not the first time that that has happened. Last year, the hub was exploited, damaging quicksilver.
I reported this to the ICFormulet apparatus before any damage occurred, but no action was taken. Unfortunately, this is the same exact thing. Members of the celestia team and community, Zaki Manian, Dev Ojha, Marko from sdk team, @ccclaimens and countless others have contributed time and talent to resolving this issue.
I need to make absolutely clear that ICFormulet has not only not been helpful, they have stood in the way of its resolution, so we are naming after root causes, because this thing is mainly the result of maladministration of the cosmos software stack by ICFormulet.
Mitigations to ICFormuletBananaKingBerry can be found at GitHub - notional-labs/placid: mitigations to p2p-storms.
As time goes on I will post more details, I think that for now I’ll leave it at this.