Hi Paul,
Just want to let you know that it’s my opinion that none of the mitigations are super great, although when combined you can reduce the surface area for the attack.
Sadly, @Jessysaurusrex saw it fit to publish the issue to the world.
Here’s my mitigations repository:
Here’s a very disappointing thread from the comet bft GitHub
Here’s where download instructions from @thanethomson from informal only to have @AdiSeredinschi from informal close the issue that thane created:
@jtremback and @uditvira were supposed to be working on a testnet with me but they have ghosted (again)
And finally here’s some comments from Informal CTO @zmilosevic
Jacob, the issue you are talking about is a mempool/protocol fee design issue, so it is not security issue, it is a complex design issue that will take some time to be properly designed and implemented. And it is not comet only issue: it involved things to be designed and implemented at the level of the whole stack and then every application will need to also implement what makes sense to them. We have heard you when you surfaced it for the first time; at this point in time, there are workarounds that involve validators adjusting fees or someone proposing global feel to be non zero. I personally don’t believe that having non zero global feel is a solution for anything as validators can already adjust it locally and the benefit is that we can be more adaptive. Changing global params take weeks. You repeating the same thing every day will not change that this is reality. From our perspective we don’t see you trying to collaborate in a professional way as each time you are not happy with our perspective you go public and talk shits for days. This does not seem like a good way to create a healthy relationship. We have tried putting some structure in place so we can make sure we have healthy communication between our two orgs, but I don’t see it being used. You prefer to attack us in public, and faire enough, but don’t be surprised when we say it does not work for us to work like this. On repositories we steward, we expect people to respect each other and to offer technical and product perspective. Everyone doing this is more than welcome and appreciated for input. We don’t believe that there is a room for personal attacks, and this is a very common practice in all decent open source projects, so nothing really new here. On our side, there is no problem with you and Notional contributing to projects, you are more than welcome, but we expect everyone to approach others with respect and to try to understand the other side.
I believe that being able to knock over any chain in cosmos at any time for any reason is a security issue.
I hope @zaki_iqlusion or some members of the terra or injective or Celestia teams might chime in.
Back to work on the testnet