Hi @mparikh. Thanks for providing the reference. I’ve read through it before, but I read through it again to refresh myself. I also read through the latest on the Sandboxing thread here: Security Sandboxing
These threads are great for technical folk, but they don’t present the information in a digestible format for the average community member. A good security engineer should be able to synthesize the discussion into a few key points.
Furthermore, we should not be making decisions like this based on perceived risk; rather, we should put emotions aside and use quantitative and qualitative measures to provide an accurate risk assessment.
I disagree. The reputation of Dfinity should not be a driving factor (no offense intended).
You and others have already acknowledged that this vulnerability has existed for some time now. We already have millions in assets (mainly NFTs) that are susceptible to exploitation. What does this mean? It means that delaying this proposal does not mitigate the risk. Delaying this proposal simply reduces the potential impact (total $$$ stolen) of an attack. I’m not trying to be dismissive; I just want to paint an accurate picture.
Agreed. But I also think this may be understating it. We are talking about a decentralized system right? I don’t claim to be an expert on the IC architecture, but even if a rogue process was able to escape from it’s canister and tamper with another, wouldn’t this have to be accomplished on all replicas at the same time in order for any valuable assets to be moved around? I assume consensus would still have to be reached, no? This sounds like an extremely well orchestrated attack that requires a deep understanding of the IC. Does that mean it’s impossible? absolutely not. But it is something that should be measured and included in our assessment.
To be clear; i’m not saying i’m for, or against, a delay. I’m just asking for additional information and for everyone to remember that we are talking about a network whose very existence depends on an active ecosystem. What do I mean by this? Unlike other networks, users cannot keep the network alive by running their own hardware. We effectively pay node providers for this service when we buy ICP off of the exchange. IMO, the IC is very vulnerable right now. The demand for NFTs (across all chains) has reduced significantly and we don’t have DeFi to bring in money flows. Many of our other services are designed to be free to users. This is great for adoption, but it does not pay the bill (node providers). We need to consider that there are other risks associated with this delay and factor those into our decision as well.
Sorry for getting on a soapbox. I was actually supposed to take this week off from the IC. Unfortunately, between the IC Gallery Moonwalkers launch (I love utility/access NFTs) and this discussion (I work as a security engineer) I couldn’t help myself.