Important SNS upgrade

The SNS development team has submitted a critical security fix in proposal 131807 earlier today which was accepted by the NNS community and is now available to all SNSs for upgrade. In accordance with the security policy, we’ll reveal the details in 10 days.

We highly recommend that all SNSs get upgraded to the latest version as soon as possible to ensure smooth operation.

11 Likes

Let me tag @Sneed @infu @levi @Dogmi @aiv @Accumulating.icp for your information as I don’t have a more direct channel to ping someone from these DAOs.

4 Likes

Thanks @lara :pray:. The CTS community on OpenChat is a good channel to ping us.

2 Likes

Hey Lara, it seems like the root hash is not the same as the one proposed in the linked proposal: NNS Dapp

Root Hash on SNS: 2c6018ca27ae077a26acb63821d20328bf1db2dc2710d9a7245cd1c4ae22d388

Root Hash in NNS proposal: e872d754f37dcd31558d2bb2829e2fe7fc33f61039bf6df66e9fdc1fa9fccea8

What am I missing?

1 Like

Thanks for this! I can pass it along

1 Like

Hi @0rions, There is about 10 more UpgradeSNSToNextVersion proposals needed for the CTS SNS to be at the latest versions for the SNS canisters. The UpgradeSNSToNextVersion proposal type upgrades the SNS in the same sequence as the canister-modules are added to the SNS-WASM. At this time the CTS SNS is running at the SNS canister versions up to proposal 130729. The current CTS proposal that you linked to upgrades to the next SNS canister version after 130729 which is the root canister upgrade to the module blessed in proposal 130820.
After that, the next CTS UpgradeSNSToNextVersion proposal will upgrade the governance canister to the module blessed in proposal 131399.
And so on until the SNS canisters are at their latest versions.

2 Likes

Thank you for the heads up! We are upgrading.

Please let us know if there is anything else we need to do for the upgrade.

1 Like

Thanks, noted for next time!

Here’s a script that can help visualize the upgrade path for your SNS.

Asusmptions:

  1. The script is run from the root of the IC mono repo, so the candid definitions are in the expected location.
  2. The tools dfx, idl2json, jq are installed.
  3. Tested in Bash 5.2
# Set the ID of your SNS's Governance canister
SNS_GOV_CANISTER_ID="igbbe-6yaaa-aaaaq-aadnq-cai"
# Obtain the current version that your SNS is running
dfx \
  --identity default \
  canister \
  --network ic \
  call \
  --candid rs/sns/governance/canister/governance.did \
  $SNS_GOV_CANISTER_ID get_running_sns_version \
    '(record {})' \
    | head -n 9 \
    | tail -n 6 \
      > "$SNS_GOV_CANISTER_ID.version"
# Get the upgrade path from your current version to the latest available version in SNS-W
dfx \
  --identity default \
  canister \
  --network ic \
  call \
  --candid rs/nns/sns-wasm/canister/sns-wasm.did \
  qaa6y-5yaaa-aaaaa-aaafa-cai list_upgrade_steps \
  "(
    record {
      limit = 100 : nat32;
      starting_at = opt record {
        $(cat "$SNS_GOV_CANISTER_ID.version")
      };
      sns_governance_canister_id = opt principal \"$SNS_GOV_CANISTER_ID\";
    },
  )" | idl2json | jq ".steps[].pretty_version"

Example output for CYCLES-TRANSFER-STATION:

[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "904b24dfa4c7eae27adb4835b60266131287873236d281abb8ca46d76179d214",
    "index_wasm_hash": "110352d412a97dce090dd902e9dbdc874211d0e7a5179b6814ec1694e45a2807",
    "ledger_wasm_hash": "26de3e745b0e98cc83850ebf0f8fd1a574905bf7c73d52fcf61ee3f35e4875e1",
    "root_wasm_hash": "2c6018ca27ae077a26acb63821d20328bf1db2dc2710d9a7245cd1c4ae22d388",
    "swap_wasm_hash": "67f64e705afd70c0de03529a8b914f122b3fb8920d9e9d81e357b8b5e2a4d10a"
  }
]
[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "a1d73b5e31669edacde9f767ecce598c03fa1cd71fe4873be5e0260076ed4e99",
    "index_wasm_hash": "110352d412a97dce090dd902e9dbdc874211d0e7a5179b6814ec1694e45a2807",
    "ledger_wasm_hash": "26de3e745b0e98cc83850ebf0f8fd1a574905bf7c73d52fcf61ee3f35e4875e1",
    "root_wasm_hash": "2c6018ca27ae077a26acb63821d20328bf1db2dc2710d9a7245cd1c4ae22d388",
    "swap_wasm_hash": "67f64e705afd70c0de03529a8b914f122b3fb8920d9e9d81e357b8b5e2a4d10a"
  }
]
[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "a1d73b5e31669edacde9f767ecce598c03fa1cd71fe4873be5e0260076ed4e99",
    "index_wasm_hash": "110352d412a97dce090dd902e9dbdc874211d0e7a5179b6814ec1694e45a2807",
    "ledger_wasm_hash": "26de3e745b0e98cc83850ebf0f8fd1a574905bf7c73d52fcf61ee3f35e4875e1",
    "root_wasm_hash": "2c6018ca27ae077a26acb63821d20328bf1db2dc2710d9a7245cd1c4ae22d388",
    "swap_wasm_hash": "0f553be99baaaf79f23e85392f4f09dba02f89a2f2ce93f2fa4819f3149b9f84"
  }
]
[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "3feb8ff7b47f53da83235e4c68676bb6db54df1e62df3681de9425ad5cf43be5",
    "index_wasm_hash": "110352d412a97dce090dd902e9dbdc874211d0e7a5179b6814ec1694e45a2807",
    "ledger_wasm_hash": "26de3e745b0e98cc83850ebf0f8fd1a574905bf7c73d52fcf61ee3f35e4875e1",
    "root_wasm_hash": "2c6018ca27ae077a26acb63821d20328bf1db2dc2710d9a7245cd1c4ae22d388",
    "swap_wasm_hash": "0f553be99baaaf79f23e85392f4f09dba02f89a2f2ce93f2fa4819f3149b9f84"
  }
]
[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "3feb8ff7b47f53da83235e4c68676bb6db54df1e62df3681de9425ad5cf43be5",
    "index_wasm_hash": "110352d412a97dce090dd902e9dbdc874211d0e7a5179b6814ec1694e45a2807",
    "ledger_wasm_hash": "26de3e745b0e98cc83850ebf0f8fd1a574905bf7c73d52fcf61ee3f35e4875e1",
    "root_wasm_hash": "e52741a712b3d0bccf35a65cf7d9dc06b7b45bd16451c5c19490f1074f56f0db",
    "swap_wasm_hash": "0f553be99baaaf79f23e85392f4f09dba02f89a2f2ce93f2fa4819f3149b9f84"
  }
]
[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "3feb8ff7b47f53da83235e4c68676bb6db54df1e62df3681de9425ad5cf43be5",
    "index_wasm_hash": "110352d412a97dce090dd902e9dbdc874211d0e7a5179b6814ec1694e45a2807",
    "ledger_wasm_hash": "26de3e745b0e98cc83850ebf0f8fd1a574905bf7c73d52fcf61ee3f35e4875e1",
    "root_wasm_hash": "e52741a712b3d0bccf35a65cf7d9dc06b7b45bd16451c5c19490f1074f56f0db",
    "swap_wasm_hash": "20c6fe772a0f5be86fda4ceff1e8e13b5071f9a85d83d6052c61e09084b406d6"
  }
]
[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "3feb8ff7b47f53da83235e4c68676bb6db54df1e62df3681de9425ad5cf43be5",
    "index_wasm_hash": "08ae5042c8e413716d04a08db886b8c6b01bb610b8197cdbe052c59538b924f0",
    "ledger_wasm_hash": "26de3e745b0e98cc83850ebf0f8fd1a574905bf7c73d52fcf61ee3f35e4875e1",
    "root_wasm_hash": "e52741a712b3d0bccf35a65cf7d9dc06b7b45bd16451c5c19490f1074f56f0db",
    "swap_wasm_hash": "20c6fe772a0f5be86fda4ceff1e8e13b5071f9a85d83d6052c61e09084b406d6"
  }
]
[
  {
    "archive_wasm_hash": "ea2df4e0e3f4e5e91d43baf281728b2443ab3236ba473d78913cfbe2b5763d3c",
    "governance_wasm_hash": "3feb8ff7b47f53da83235e4c68676bb6db54df1e62df3681de9425ad5cf43be5",
    "index_wasm_hash": "08ae5042c8e413716d04a08db886b8c6b01bb610b8197cdbe052c59538b924f0",
    "ledger_wasm_hash": "e8942f56f9439b89b13bd8037f357126e24f1e7932cf03018243347505959fd4",
    "root_wasm_hash": "e52741a712b3d0bccf35a65cf7d9dc06b7b45bd16451c5c19490f1074f56f0db",
    "swap_wasm_hash": "20c6fe772a0f5be86fda4ceff1e8e13b5071f9a85d83d6052c61e09084b406d6"
  }
]
[
  {
    "archive_wasm_hash": "5c595c2adc7f6d9971298fee2fa666929711e73341192ab70804c783a0eee03f",
    "governance_wasm_hash": "3feb8ff7b47f53da83235e4c68676bb6db54df1e62df3681de9425ad5cf43be5",
    "index_wasm_hash": "08ae5042c8e413716d04a08db886b8c6b01bb610b8197cdbe052c59538b924f0",
    "ledger_wasm_hash": "e8942f56f9439b89b13bd8037f357126e24f1e7932cf03018243347505959fd4",
    "root_wasm_hash": "e52741a712b3d0bccf35a65cf7d9dc06b7b45bd16451c5c19490f1074f56f0db",
    "swap_wasm_hash": "20c6fe772a0f5be86fda4ceff1e8e13b5071f9a85d83d6052c61e09084b406d6"
  }
]
[
  {
    "archive_wasm_hash": "5c595c2adc7f6d9971298fee2fa666929711e73341192ab70804c783a0eee03f",
    "governance_wasm_hash": "3feb8ff7b47f53da83235e4c68676bb6db54df1e62df3681de9425ad5cf43be5",
    "index_wasm_hash": "08ae5042c8e413716d04a08db886b8c6b01bb610b8197cdbe052c59538b924f0",
    "ledger_wasm_hash": "e8942f56f9439b89b13bd8037f357126e24f1e7932cf03018243347505959fd4",
    "root_wasm_hash": "e872d754f37dcd31558d2bb2829e2fe7fc33f61039bf6df66e9fdc1fa9fccea8",
    "swap_wasm_hash": "20c6fe772a0f5be86fda4ceff1e8e13b5071f9a85d83d6052c61e09084b406d6"
  }
]

The first element in the array corresponds to the current version of this SNS; the last element is the latest available configuration. At the moment, it seems like every single canister of this SNS is not at the latest version, so please consider upgrading soon!

Hope this helps.

3 Likes

Hi everyone,

We are following up with some details on the security issue that was addressed in proposal 131807. Some SNS canisters were affected by a bug in ic_cdk which is explained in this forum post.
For all impacted canisters, a proposal was adopted by the NNS to publish a new, fixed wasm to SNS-W. SNSs could then apply the fix to their canisters by continuous proposals to upgrade the SNS to the latest version.

This is a good reminder that in general SNS communities are encouraged to keep their DAO canisters up to date and apply upgrades regularly. This ensures that in urgent situations fixes can be deployed quickly.

3 Likes