The implications of the Solana Wormhole hack on the IC

IIUC the attacker exploited a bug in Solana that was committed to the Solana repo on January 16 but hadn’t been “deployed” when the hack was initiated on February 2. Kinda funny, but also seriously alarming.

Silly question, but how do you stop stuff like that? The dfinity/ic repo is also constantly being updated, but new replica binaries aren’t rolled out until weeks afterwards, after the corresponding NNS proposal is approved.

Should sensitive bug fix PRs be made private? I don’t know if that even is possible…

3 Likes

I think they used to use gitlab (before publishing ic to github) - I assume they still have it and they would probably use it;

For the replica upgrades - my guess is they could bypass the NNS as it’s beta and there is no NNS enforced on-chain replica upgrade (yet);


Note: More details about the attack here ( https://twitter.com/kelvinfichter/status/1489041221947375616 )

I think they used to use gitlab (before publishing ic to github) - I assume they still have it and they would probably use it;

Even if they still use GitLab internally, all of the commits on the GitHub repo are still published in real time. So IIUC anyone could see whether a bug was fixed recently, i.e. O(~days), but not yet deployed via a NNS upgrade, which is O(~weeks).

For the replica upgrades - my guess is they could bypass the NNS as it’s beta and there is no NNS enforced on-chain replica upgrade (yet);

NNS is used to manage on-chain replica upgrades. There is no mechanism to “bypass” the NNS, except for the special situation where the governance canister goes down and 2/3 of node providers must vote to upgrade that canister. The Internet Computer is a blockchain managed by a DAO, and it’s working right now!

You can see a recent replica upgrade proposal here.

1 Like

You are right, any upgrade must go through the NNS, so it will take some time.
However, if a security vulnerability is discovered and our security experts consider it a critical issue, we can publish a proposal shortly after publishing the code, keeping the time interval between making the vulnerability public and the fix being applied very short.

So, yes, there can be days/weeks between updates but they can be rolled out quickly if necessary.

2 Likes