Borovan is using Trax treasury to DoS nICP

Hey everyone,

Recently @borovan passed Trax#137, which transferred 17’970 ICP to ljxsi-5du4w-3se32-vba6v-dd543-rrj3g-nayx2-f7xhd-o4u7a-ycmxw-bae.

The ICP were promptly forwarded to tx jrnhz-6ekxv-2fffs-wfcgt-l3pe7-456id-heznf-xyf64-nykjq-4jyso-zae which have been the source of the DoS attack on the nICP ledger canister, by mass transferring 0.0001 nICP every few seconds, back and forth to dhm6v-3f3gr-yp7vg-qosgm-s7yoj-x5zhf-su424-jxqa5-43big-ceouy-bqe.

Screenshot 2025-04-23 at 10.22.221174×612 29.5 KB

We propose to the community to slightly increase the transfer fees for nICP from 0.0001 nICP to 0.01 nICP with proposal #3021.

Proposal #3021 verification:

• The hash for upgrade arguments checks out
  

  

  Screenshot 2025-04-23 at 10.58.251586×174 29.5 KB

• Canister WASM hash checks out
  

  

  Screenshot 2025-04-23 at 11.06.371590×1172 224 KB

We also propose to change the parameter in the index canister, to only index every ten seconds, instead of every second, with #3022.

Proposal #3022 verification:

• The hash for upgrade arguments checks out
• Canister WASM hash check out

image1590×420 76.6 KB

Please note the path in the proposal is wrong, you need to use rs/ledger_suite/icrc1/index-ng instead of rs/rosetta-api/icrc1/index-ng.

What does it actually mean to change the parameter in the index canister?

He meanw slow the “hearbeat” down which would make a dos attack less expensive on the canister.

The index canister, as its name indicates helps to index transaction from the ledger. Otherwise you need to step through every block of the ledger to recreate your transaction history.

By changing the parameter, we index every ten seconds instead of every one, lowering the load on the canister, and thus the cycles consumed. The ledger canister will upgrade itself with the following parameters:

(variant { Upgrade = record { retrieve_blocks_from_ledger_interval_seconds = opt 10; } })

You can follow the effects by looking at the code of the index canister directly.

I wonder what stance the leadership team has on this attack.

Isn’t that illegal? Can I maliciously ddos a platform? US users should consider suing Borovan for this crime. There is enough evidence to show malicious intent.

But what is a proper way to handle DOS attacks on ICP? Slowing the heartbeat down might work but that limits the ICP usecase to slow systems (even if it’s fine here). Increasing the fees makes sense. I guess there is a balance between many approaches.

I feel there should be a capability to have dynamic fees. That is, with the increase of traffic the fees increases. And when you DOS, it quickly becimes expensive. But normal calls can be cheap/ even free. Should be protocol level, or could be even app layer standard.

Cc @EnzoPlayer0ne

This seems to be like gas fees from Eth. It’s a proven and battle tested approach

It’s pretty sad to see you attacking IC dapps. We are all on the same team.

I agree with your sentiment but youre turning team builder into the bad guys right now.

Please stop.

Where does draining treasuries, draining liquidity from dkp, and dos attacking fall in this list?

@integral_wizard

its possible to inspect the principal of the caller and ignore requests from blacklisted principals. Or anonymous ones.

I suppose you could have an app detect malicious activity and automatically blacklist principals. Though this is a bit tricky in defi apps given the need to allow for high volume of transactions normally.

Im not sure how effective this is in practice as nothing i ever built has enough traffic to bother dosing

Hey Enzo sweetie - Statement Addressing Borovan and Thyassas Recent Activity and Future Plans

love you

Seems like WTN is celebrating this though?

I actually like this thing where every post is auto hidden. It’s like scratching the next box in a scratch ticket, so exciting!

Wow, I wasn’t expecting it.

I think Dfinity rocks did the trick.