Namada Mainnet's First Security Upgrade

Last Thursday, the Namada mainnet smoothly completed its first public software upgrade to Namada v1.1.1.

However, Namada had previously on January 20 executed a covert software upgrade that patched some security vulnerabilities identified by the Heliax team. The security-patched code has been covertly embedded into the v1.1.1 software (actually within v1.1.0), and details have been made public for the first time.

Three security vulnerabilities were identified back in late December and early January. While none of these bugs were exploited and no funds were ever at risk, their successful exploitation could have caused a denial of service (DoS) to certain nodes, delayed block production, or halted the chain. These three bugs were:

  1. SA001: A transaction with an authorization section containing 256 public keys or more with valid matching signatures could have triggered an integer overflow in signature verification that caused a node to panic during mempool validation.
  2. SA002: A transaction with multiple repeated sections could have caused the section hash calculation used for signature to grow significantly in proportion to the number of sections, heavily slowing down node operation.
  3. SA003: A user could have instantiated a validator with a negative commission rate by forcing the tx submission. If this validator then was able to enter the consensus set, then the ledger would panic when minting inflation to validators at the start of a new epoch.

In addition to patching the software with a solution for each vulnerability, additional testing was added to the namada repo, and the patched software was initially deployed on Campfire and Housefire testnets before proceeding to coordinate with a subset of mainnet validators to upgrade the mainnet in secret.

The Heliax team coordinated with about 25 validators comprising ~71% of the network voting power to upgrade the mainnet software. The patched software was consensus-compatible with v1.0.0 of Namada, so no chain halt or specific upgrade block height was required.

Validators were invited to a new private github repository containing the patched source code and some pre-built binaries. They were then asked to upgrade their nodes asynchronously as soon as possible. Within a couple hours of invites sent out, we confirmed that over 70% of the network had been upgraded, thus preventing any chance of an attacker affecting block production of the chain.

A massive thank you to the collection of validators who came together swiftly and effectively to address these vulnerabilities and keep the mainnet resilient!

9 Likes

Glad to see this having been handled professionally. Props to team and validators for solid execution.

3 Likes