I’m curious what the security risks are here, and besides people trusting a canister with a malicious controller (which will always be an issue, and is an issue now with Ethereum smart contracts, as anyone can code any logic into the contract), I’m wondering if it simply boils down to the replication factor of the subnet?
Why are application subnets less secure than the system subnet? Wouldn’t the only reason be the replication factor? 34 nodes is harder to corrupt than 7 nodes.
Are there other security risks here?
How could a malicious canister on the same subnet “jailbreak” another canister?
And I want to push a few points here again:
- Please create a bug bounty program and start to crowd-source security testing of the IC. Get the best abd brightest white hats to put this thing through the ringer
- Please consider node shuffling so that we can further prevent node operator collusion
Security is of the utmost importance not only to this feature, but to every feature and application of the IC. Once large amounts of value start flowing through canisters, the security may be tested even more and end up breaking in production.