Platform: Code4rena
Start Date: 26/08/2021
Pot Size: $100,000 USDC
Total HM: 8
Participants: 13
Period: 14 days
Judge: Albert Chon
Total Solo HM: 7
Id: 27
League: COSMOS
Rank: 6/13
Findings: 1
Award: $1,565.87
๐ Selected for report: 1
๐ Solo Findings: 0
๐ Selected for report: tensors
1565.8738 USDC - $1,565.87
tensors
If ETHBlockDelay is too small and the incentive for miners is large enough, it would profitable for miners to attempt to double spend by depositing assets, waiting for confirmation on the cosmos-SDK and then reorging the blockchain.
Although an attack like this has never been done, it could potentially cost hundreds of millions of dollars in damages. With MEV at all time highs and miners regularly using custom geth implementations its not totally out of the question to see an attack similar to this happening soon.
The best way to avoid something like this is to make sure to wait for a large number of blocks until a transaction is confirmed by the cosmos system.
#0 - jkilpatr
2021-09-10T18:55:09Z
We currently wait 6 blocks, as noted here I've done some math on the subject. A 7 block deep reorg would actually halt the bridge so they could only pull this off once.
I do agree it's a moderate risk, but computing how probable (and therefore risky) this sort of attack is requires info that's pretty hard to get.
#1 - albertchon
2021-09-23T14:40:32Z
We did some investigation into this and concluded that 6 blocks was safe enough
#2 - loudoguno
2021-10-01T03:49:02Z
reopening as per judges assessment as "primary issue" on findings sheet