this change would double the cost of all transactions, unless the transactions are proposed by binance. While I’ve not confirmed this yet, @zmanian states that x/globalfee only really works at the mempool layer. We can think of it as a mempool filter that operates globally and is governance controlled.
Binance seems to be operating with a modified mempool, as illustrated by blocks they produce containing zero fee transactions. It is also possible that binance simply hasn’t adhered to the minimum gas settings listed in the Gaia repository.
This should definitively reduce the DDOS vulnerability of the Hub. But I’m just wondering what are the implications of removing the IBC administration messages from the bypass fee list.
The hub doesn’t have a ddos vulnerability more or less than any other system.
Let’s discuss for a moment the nature of a distributed denial of service attack. A distributed denial of service attack is expensive for the attacker.
That is because in a distributed denial of service attack, the attacker is using many machines to come at a single system.
The issue which amulet should not have disclosed, and described poorly, does not require many machines and in fact requires only a single open API endpoint. The attacker needs exactly zero machines under their control.
It would be extremely unwise to think of such an attack as a distributed denial of service attack because that would completely invert the economics of the attack.
Okay, now that we have gotten basic definitions out of way, let’s get on to impact. I believe that this would be absolutely terrible for relayers and would change the economics of relaying around the hub. I think that the only viable path would be to whitelist relayers using governance. But then we would have to write the code to do that. I also believe that even though this would be absolutely terrible for relayers, we should probably do it anyway.
Those bypasses are crazy dangerous.
Whitelists have their own risks, but in the end, if all whitelisted relayers are hit by a bus, others can relay until the whitelists are updated.
PS:
Thomas, if you want to discuss this further, please contact me by DM at twitter.com/gadikian and we can set up a secure way of talking (usually I prefer signal)
I don’t think it’s related to a modified mempool, I would go for the second option, Binance probably has a local minimum_gas_price=0. The problem is, when both global and local minimum_gas_price are empty or equal to 0, the node’s mempool can accept transactions without fee. This is how the x/globalfee module works.
Secondly, from the tests I led, I can tell that Binance isn’t the only one with this setting.
This seems like a good idea to me. The only issue is the concern of whether it would make things too expensive for relayers if they have to pay for gas. This is something that’s easy to test though. I think we should get some tests rolling to estimate typical costs on the testnet, and then do some napkin math to estimate the costs of running various important channels. If the extra gas cost ends up being small, it’s a clear win IMO.
OK, we can wait until thursday but I do wish to note that I don’t think that testing on the rs testnet accurately reproduces anything related to the spam issue.
The testnet has clearly experienced a netsplit and consensus is being driven mainly by banana apple and cherry.
Unfortunately the proposal didn’t reset the bypass_min_fee_msg_types fields. The global fee is now 0.005 as expected, but the IBC messages are still in bypass_min_fee_msg_types.
I tried making these proposals before publicly releasing the information, Informal and Hypha did not have a complete view of the situation because they never got on a phone call with me about this matter until 10/4/2023.
My frist report of the issue was 8/15/2023 and I had completed replication by 9/21/2023.
Are you saying that this issue that you have demonstrated, with the mempools is still ongoing, and a fix would be to increase transaction fees to make it more expensive for an attack to cause this cascading collapse?
It might not be as expensive as you think, the attacker can always spread via, nevermind, i see why this discussion should be taken elsewhere, but you probably understand what I’m trying to say
