Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem: currently used go-ethereum contains a known vulnerability #143

Closed
wants to merge 7 commits into from

Conversation

yihuang
Copy link
Collaborator

@yihuang yihuang commented Oct 6, 2021

Closes: #142 #102

Solution:

  • update to ethermint's recent main branch
  • add feemarket module, have to do this together.

👮🏻👮🏻👮🏻 !!!! REFERENCE THE PROBLEM YOUR ARE SOLVING IN THE PR TITLE AND DESCRIBE YOUR SOLUTION HERE !!!! DO NOT FORGET !!!! 👮🏻👮🏻👮🏻

PR Checklist:

  • Have you read the CONTRIBUTING.md?
  • Does your PR follow the C4 patch requirements?
  • Have you rebased your work on top of the latest master?
  • Have you checked your code compiles? (make)
  • Have you included tests for any non-trivial functionality?
  • Have you checked your code passes the unit tests? (make test)
  • Have you checked your code formatting is correct? (go fmt)
  • Have you checked your basic code style is fine? (golangci-lint run)
  • If you added any dependencies, have you checked they do not contain any known vulnerabilities? (go list -json -m all | nancy sleuth)
  • If your changes affect the client infrastructure, have you run the integration test?
  • If your changes affect public APIs, does your PR follow the C4 evolution of public contracts?
  • If your code changes public APIs, have you incremented the crate version numbers and documented your changes in the CHANGELOG.md?
  • If you are contributing for the first time, please read the agreement in CONTRIBUTING.md now and add a comment to this pull request stating that your PR is in accordance with the Developer's Certificate of Origin.

Thank you for your code, it's appreciated! :)

@yihuang yihuang requested a review from a team as a code owner October 6, 2021 03:03
@yihuang yihuang requested review from JayT106 and devashishdxt and removed request for a team October 6, 2021 03:03
@yihuang yihuang requested a review from thomas-nguy October 6, 2021 03:06
Copy link
Contributor

@tomtau tomtau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

probably the more precise problem is: "Problem: currently used go-ethereum contains a known vulnerability" :)

I guess also a changelog entry can be added?

If the current testnet is to be upgraded via a state export -- I guess it'd also need genesis migrations to add the new module (or are there any other breaking changes?)?

@@ -40,6 +40,3 @@ replace github.com/cosmos/ibc-go => github.com/crypto-org-chain/ibc-go v1.0.1-ho
replace github.com/peggyjv/gravity-bridge/module => github.com/crypto-org-chain/gravity-bridge/module v0.1.22-0.20211004080324-36ed315b3281

replace github.com/cosmos/iavl => github.com/cosmos/iavl v0.17.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this IAVL line necessary? it should be by default in 0.44.1?

Copy link
Collaborator Author

@yihuang yihuang Oct 6, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/tendermint/tendermint/blob/v0.34.13/go.mod#L16

it seems still needed, tendermint still depends on the old iavl

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

submitted tendermint/tendermint#7089, I think it can be backported to v0.34.x.

@yihuang yihuang changed the title Problem: recent version of go-ethereum is not used Problem: currently used go-ethereum contains a known vulnerability Oct 6, 2021
@thomas-nguy
Copy link
Collaborator

thomas-nguy commented Oct 6, 2021

Let's wait until we have a more stable version of ethermint before upgrading and adding a Changelog entry? (unless we are planning release soon)

It seems the bump to 1.10.9 is still work in progress and might take few more days to complete
evmos/ethermint#624

@yihuang
Copy link
Collaborator Author

yihuang commented Oct 6, 2021

Currently there's a panic here: https://github.com/tharsis/ethermint/blob/main/rpc/ethereum/backend/utils.go#L53, because the head.BaseFee is nil.

@yihuang yihuang marked this pull request as draft October 6, 2021 03:47
@codecov
Copy link

codecov bot commented Oct 11, 2021

Codecov Report

Merging #143 (30ed5dc) into main (3ea70c5) will increase coverage by 4.82%.
The diff coverage is 48.17%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #143      +/-   ##
==========================================
+ Coverage   21.51%   26.33%   +4.82%     
==========================================
  Files          27       33       +6     
  Lines        1729     2407     +678     
==========================================
+ Hits          372      634     +262     
- Misses       1324     1729     +405     
- Partials       33       44      +11     
Impacted Files Coverage Δ
app/prefix.go 0.00% <0.00%> (ø)
app/test_helpers.go 0.00% <0.00%> (ø)
x/cronos/keeper/gravity_hooks.go 0.00% <0.00%> (ø)
x/cronos/keeper/grpc_query.go 0.00% <0.00%> (ø)
x/cronos/keeper/msg_server.go 5.00% <0.00%> (-1.46%) ⬇️
x/cronos/module.go 59.64% <0.00%> (-2.17%) ⬇️
x/cronos/types/codec.go 0.00% <0.00%> (ø)
x/cronos/types/events.go 0.00% <ø> (ø)
x/cronos/types/messages.go 20.22% <ø> (+20.22%) ⬆️
x/cronos/types/params.go 57.35% <ø> (+3.78%) ⬆️
... and 19 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7ff1cb9...30ed5dc. Read the comment docs.

Closes: crypto-org-chain#142 crypto-org-chain#102

Solution:
- update to ethermint's recent main branch
- add feemarket module

changelog
go.mod Show resolved Hide resolved
@yihuang yihuang marked this pull request as ready for review October 12, 2021 03:27
@yihuang yihuang requested a review from tomtau October 12, 2021 03:27
CHANGELOG.md Outdated
@@ -9,6 +9,8 @@

### Improvements
- [cronos#162](https://github.com/crypto-org-chain/cronos/pull/162) bump ibc-go to v1.2.1 with hooks support
- [cronos#143](https://github.com/crypto-org-chain/cronos/pull/143) update go-ethereum to 1.10.9 and add fee market
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe specify upgrade ethermint

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@@ -9,6 +9,8 @@

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if changelog should also comment on breaking changes?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

copied some ethermint changelog.

@yihuang yihuang enabled auto-merge (squash) October 12, 2021 05:19
@yihuang yihuang disabled auto-merge October 12, 2021 09:34
Copy link
Collaborator

@thomas-nguy thomas-nguy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on hold

@yihuang yihuang marked this pull request as draft October 13, 2021 08:18
@yihuang
Copy link
Collaborator Author

yihuang commented Nov 3, 2021

ethermint has upgraded, we just need to update to ethermint main branch later.

@yihuang yihuang closed this Nov 3, 2021
@yihuang yihuang deleted the go-ethereum branch November 3, 2021 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Problem: currently used go-ethereum contains a known vulnerability
4 participants