ICP Neuron Age is 52 Years

Hi all,

Here is an update on the neurons with a large age!

Situation
As already mentioned in this thread, there are some NNS neurons that have an age which is very large. To the best of our knowledge, there are only a handful of these neurons in total.
These neurons have a slightly higher voting power bonus than the NNS design intended for. The maximum age bonus that these neurons can get is 25%. Also, the age is capped at 4 years in the code, so larger age values do not have additional effect on the voting power.

Nevertheless, we of course take this situation very seriously and treat this as a security incident.

Cause of the bug
We were able to narrow down the source of the bug to the recently changed function merge_neurons of NNS governance’s manage neuron commands. This function allows users to merge a “source neuron” into a “target neuron”, combining their stake and all their information.
In the case where the target neuron is dissolved, i.e. has zero dissolve delay, there was a bug that incorrectly updated the neurons’ age, which led some of the neurons to have these very large age values.

Stopgap proposal
To make sure that this vulnerability cannot be exploited by attackers, as a stop gap we submitted proposal [123434] to the NNS that proposed to disable merge_neurons. This proposal has been executed, and thus no additional neurons can get into this buggy state and no attackers can take advantage of this bug.

To ensure that the proposal does not reveal the bug to attackers and in accordance with the Security Patch Policy and Procedure that was adopted in proposal [48792], the source code that was used to build this release will be exposed shortly. Once the source code is revealed, the community will be able to retroactively verify the binaries that were rolled out.

Why did we choose a stopgap rather than waiting for a bug fix?

  • We think it is important to take the time for additional reviews to ensure that all paths that can lead to the bug were covered as well as for the usual security reviews and release tests.
  • Even though disabling the functionality may cause an inconvenience for some users, merging neurons is just a UX improvement that does not affect the core functionality of governance. Most importantly, users can still vote, get voting rewards, modify the neurons, and disburse stake and maturity.
  • Another advantage of this approach is that the community will be able to verify the fix before voting on the proposal, which will provide more confidence in it.

What are the next steps?
Now that the stopgap was executed by the NNS, we are working on the following tasks:

  1. Fixing the bug, making sure we do additional reviews to avoid similar bugs. As mentioned, we plan to follow the normal release process in this case and the community will be able to fully verify the code as it is merged since there is no risk of attackers exploiting the vulnerability anymore.
  2. Recovery of the affected neurons. This includes identifying the neurons that were affected by the bug and setting their age back to an expected value.

We plan to provide another update when we have a concrete proposal ready for these points!

22 Likes