Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump github.com/cosmos/gaia/v9 from 9.0.1 to 9.1.1 #44

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github May 26, 2023

Bumps github.com/cosmos/gaia/v9 from 9.0.1 to 9.1.1.

Release notes

Sourced from github.com/cosmos/gaia/v9's releases.

v9.1.1

Gaia v9.1.1 Release Notes

This release includes a fix for the huckleberry security advisory. Credits to Felix Wilhelm (@​felixwilhelm) of Jump Crypto for the discovery and responsible disclosure via our bug bounty program.

Go Version For a successful upgrade, please use go 1.18.x if you're compiling the binary from source, other versions of golang have not been tested for compatibility and may cause consensus issues.

Changelog [v9.1.1] - 2023-05-25

App: gaiad
Version: v9.1.1
Commit: 66494d1ec72cfa0f8800aa8f1545e19d2af47e47
Files:
 fd0a04268d160eca9c325d0ee4b67cbd  gaiad-v9.1.1-darwin-amd64
 8bbb19cbeda4893f6a8cae59179176cd  gaiad-v9.1.1-darwin-arm64
 dc9d46930b3c397f19c4f8423e098724  gaiad-v9.1.1-linux-amd64
 429c6c7e98d6d81e1eacbbc234aa2489  gaiad-v9.1.1-linux-arm64
 afd1db48115a920600978e39a87beafe  gaiad-v9.1.1-windows-amd64.exe
 879141aa972280d00ace0282a9a3ce6d  gaiad-v9.1.1.tar.gz
Checksums-Sha256:
 959f3ddbf3a65b557574527222c5a673b706e9d52a203dfbda2ceb827b760261  gaiad-v9.1.1-darwin-amd64
 0a913a3a9a31456ddfba26eccdfccca61d00b06498faa94019776df391509d27  gaiad-v9.1.1-darwin-arm64
 f62814711be991e535b2fd86f7d4ed8c055bebf774253a06477dc182ce98cdc3  gaiad-v9.1.1-linux-amd64
 a7112c03c7a2bec2a761a3d430bfea9616ed0ebb10c785cafdd6fac117abc504  gaiad-v9.1.1-linux-arm64
 db1d82650ed2a0aa9abccb2bb60dca902c4d1444444f6c76a8b6d61d6bc41e08  gaiad-v9.1.1-windows-amd64.exe
 a57501de8b7516933077075e6a7acab03ba266ea4c0e478fd979703cd02ffecb  gaiad-v9.1.1.tar.gz

v9.1.0

Gaia v9.1.0 Release Notes

Note: This release is consensus breaking and will be applied in a coordinated upgrade

This upgrade is proposed to take place at height 15,21,3800. The date/time of the upgrade is subject to change as blocks are not generated at a constant interval. You can stay up-to-date using this live countdown page.

The chain id will remain cosmoshub-4.

For full upgrade instructions please see Discord for the following settings/scenarios.

  • Golang version --> v1.18.x
  • Halt Height settings --> MUST be manually set to 15213800
  • Avoiding double signing errors --> Avoid being tombstoned and slashed
  • Dealing with stuck nodes

... (truncated)

Changelog

Sourced from github.com/cosmos/gaia/v9's changelog.

[v9.1.1] - 2023-05-25

[v9.1.0] - 2023-05-08

This release combines two fixes that we judged were urgent to get onto the Cosmos Hub before the launch of the first ICS consumer chain. Please note that user funds were not at risk and these fixes pertain to the liveness of the Hub and consumer chains.

The first fix is to enable the use of multisigs and Ledger devices when assigning keys for consumer chains. The second is to prevent a possible DOS vector involving the reward distribution system.

Multisig fix

On April 25th (a week and a half ago), we began receiving reports that validators using multisigs and Ledger devices were getting errors reading Error: unable to resolve type URL /interchain_security.ccv.provider.v1.MsgAssignConsumerKey: tx parse error when attempting to assign consensus keys for consumer chains.

This was surprising because we had never seen this error before, even though we have done many testnets. The reason for this is probably because people don’t bother to use high security key management techniques in testnets.

We quickly narrowed the problem down to issues having to do with using the PubKey type directly in the MsgAssignConsumerKey transaction, and Amino (a deprecated serialization library still used in Ledger devices and multisigs) not being able to handle this. We attempted to fix this with the assistance of the Cosmos-SDK team, but after making no headway for a few days, we decided to simply use a JSON representation of the PubKey in the transaction. This is how it is usually represented anyway. We have verified that this fixes the problem.

Distribution fix

The ICS distribution system works by allowing consumer chains to send rewards to a module address on the Hub called the FeePoolAddress. From here they are automatically distributed to all validators and delegators through the distribution system that already exists to distribute Atom staking rewards. The FeePoolAddress is usually blocked so that no tokens can be sent to it, but to enable ICS distribution we had to unblock it.

We recently realized that unblocking the FeePoolAddress could enable an attacker to send a huge number of different denoms into the distribution system. The distribution system would then attempt to distribute them all, leading to out of memory errors. Fixing a similar attack vector that existed in the distribution system before ICS led us to this realization.

To fix this problem, we have re-blocked the FeePoolAddress and created a new address called the ConsumerRewardsPool. Consumer chains now send rewards to this new address. There is also a new transaction type called RegisterConsumerRewardDenom. This transaction allows people to register denoms to be used as rewards from consumer chains. It costs 10 Atoms to run this transaction.The Atoms are transferred to the community pool. Only denoms registered with this command are then transferred to the FeePoolAddress and distributed out to delegators and validators.

Note: The fee of 10 Atoms was originally intended to be a parameter that could be changed by governance (10 Atoms might cost too much in the future). However, we ran into some problems creating a new parameter as part of an emergency upgrade. After consulting with the Cosmos-SDK team, we learned that creating new parameters is only supported as part of a scheduled upgrade. So in the current code, the number of Atoms is hardcoded. It will turn into a parameter in the next scheduled upgrade.

[v9.0.3] - 2023-04-19

[v9.0.2] - 2023-04-03

  • (feat) Bump Interchain-Security v1.1.0 provider module. See the release notes for details.
  • (feat) Add two more msg types /ibc.core.channel.v1.MsgTimeout and /ibc.core.channel.v1.MsgTimeoutOnClose to default bypass-min-fee-msg-types.
  • (feat) Change the bypassing gas usage criteria. Instead of requiring 200,000 gas per bypass-min-fee-msg, we will now allow a maximum total usage of 1,000,000 gas for all bypassed messages in a transaction. Note that all messages in the transaction must be the bypass-min-fee-msg-types for the bypass min fee to take effect, otherwise, fee payment will still apply.
  • (fix) #2087 Fix bypass-min-fee-msg-types parsing in app.toml. Parsing of bypass-min-fee-types is changed to allow node operators to use empty bypass list. Removing the bypass-min-fee-types from app.toml applies the default message types. See #2092 for details.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/cosmos/gaia/v9](https://github.com/cosmos/gaia) from 9.0.1 to 9.1.1.
- [Release notes](https://github.com/cosmos/gaia/releases)
- [Changelog](https://github.com/cosmos/gaia/blob/main/CHANGELOG.md)
- [Commits](cosmos/gaia@v9.0.1...v9.1.1)

---
updated-dependencies:
- dependency-name: github.com/cosmos/gaia/v9
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels May 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants