Timestamp failed to pass the watermark after retrying the configured 3 times

senior.joinu · April 1, 2024, 8:24am

After upgrading agent-js to v1.2 we started to observe the following error during ICP token balance fetching:

Timestamp failed to pass the watermark after retrying the configured 3 times. We cannot guarantee the integrity of the response since it could be a replay attack.

All the other tokens work fine - we’re able to fetch the balance without this error most of the time, but sometimes it appears for other tokens as well. Seems like the probability for this error to appear is something like 95% for ICP and 10% for other tokens.

Maybe, something is wrong with our latency expectations. How do we fix that?

Thanks in advance!

kpeacock · April 1, 2024, 4:10pm

Interesting! It may have something to do with the volume of transactions coming through the ICP canister. This is great feedback, and there are a few ways we can handle this.

Things you can do right now

You could wait a second and retry the query if it fails watermarking
You could set a higher retry time count

Things I can do:

Add additional / exponential delay to the retries
Test against the ICP ledger on mainnet and set a more reliable default

senior.joinu · April 1, 2024, 6:18pm

Thanks! We will try this first thing tomorrow and report back to you.

I don’t know if it helps, but maybe you could reproduce this issue setting the browser into throttling mode.

senior.joinu · April 2, 2024, 10:41am

Yes, retrying more times helps.
Set to 10 just to be sure.

Thanks!

kpeacock · April 2, 2024, 6:40pm

Here’s a PR - I’d appreciate your feedback on the design and naming!

github.com/dfinity/agent-js

feat: retry delay strategy

dfinity:main ← dfinity:kai/SDK-1562-watermark-retry-delay

opened 06:39PM - 02 Apr 24 UTC

krpeacock

+84 -4

# Description Developers have noticed the agent is more frequently erroring w…ith the new watermark protections against replay attacks / stale data. This feature adds a delay strategy for retries that will allow for more time for nodes to catch up, with exponential increases to the rate Fixes SDK-1562 # How Has This Been Tested? new e2e tests # Checklist: - [ ] My changes follow the guidelines in [CONTRIBUTING.md](https://github.com/dfinity/agent-js/blob/main/CONTRIBUTING.md). - [ ] The title of this PR complies with [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/). - [ ] I have edited the CHANGELOG accordingly. - [ ] I have made corresponding changes to the documentation.

peterparker · April 20, 2024, 8:52am

I just faced it took in Oisy Wallet. Any progress on the fix?

kpeacock · May 1, 2024, 10:14pm

Sorry for the delay. The new strategy has been merged today - feat: retry delay strategy by krpeacock · Pull Request #871 · dfinity/agent-js · GitHub

kpeacock · May 1, 2024, 11:13pm

And now the fix is out - Agent-JS 1.3.0 is released!

_Eric · July 4, 2024, 5:50am

hi, I’m having this problem again with agent-js 1.3.0.

kpeacock · July 9, 2024, 3:35pm

Which canister is this targeting? Is it the ICP ledger again?

I believe the delay is working correctly, so this might just mean that the retryTimes count should be increased

timo · July 12, 2024, 7:55pm

What is this “watermark protections against replay attacks / stale data”? Is it documented somewhere? I would like to understand what causes and throws the error. Is it the gateway, boundary node, replica? And under what circumstances exactly?

senior.joinu · July 16, 2024, 2:59pm

I see two potential places where this problem could happen.

Here blsVerify is passed instead of the actual request. Typescript doesn’t catch that, becase the request is of type any in the definition of pollForResponse.

github.com

dfinity/agent-js/blob/main/packages/agent/src/actor.ts#L544


      
          requestId;
          response;
          requestDetails;
          
          if (!response.ok || response.body /* IC-1462 */) {
            throw new UpdateCallRejectedError(cid, methodName, requestId, response);
          }
          
          const pollStrategy = pollingStrategyFactory();
          // Contains the certificate and the reply from the boundary node
          const { certificate, reply } = await pollForResponse(
            agent,
            ecid,
            requestId,
            pollStrategy,
            blsVerify,
          );
          reply;
          const shouldIncludeHttpDetails = func.annotations.includes(ACTOR_METHOD_WITH_HTTP_DETAILS);
          const shouldIncludeCertificate = func.annotations.includes(ACTOR_METHOD_WITH_CERTIFICATE);

The fix is:

const { certificate, reply } = await pollForResponse(
  agent,
  ecid,
  requestId,
  pollStrategy,
  undefined,
  blsVerify,
);

And here blsVerify isn’t propagated through the recursion.

github.com

dfinity/agent-js/blob/main/packages/agent/src/polling/index.ts#L71


      
              reply: lookupResultToBuffer(cert.lookup([...path, 'reply']))!,
              certificate: cert,
            };
          }
          
          case RequestStatusResponseStatus.Received:
          case RequestStatusResponseStatus.Unknown:
          case RequestStatusResponseStatus.Processing:
            // Execute the polling strategy, then retry.
            await strategy(canisterId, requestId, status);
            return pollForResponse(agent, canisterId, requestId, strategy, currentRequest);
          
          case RequestStatusResponseStatus.Rejected: {
            const rejectCode = new Uint8Array(
              lookupResultToBuffer(cert.lookup([...path, 'reject_code']))!,
            )[0];
            const rejectMessage = new TextDecoder().decode(
              lookupResultToBuffer(cert.lookup([...path, 'reject_message']))!,
            );
            throw new Error(
              `Call was rejected:\n` +

The fix is:

return pollForResponse(agent, canisterId, requestId, strategy, currentRequest, blsVerify);

kpeacock · July 23, 2024, 9:44pm

This is an agent error. It was introduced to prevent allowing stale data through that has a timestamp before the last known block that came in as a call.

This can prevent against ordinary stale data, or a malicious MITM replay attack. Since a node can fall behind, a valid canister signature may still come back, but we know that the state may have changed in a more recent block.

In theory, another request or two with a slight delay should hit a different node, or allow the behind node to catch up.

Despite the security advantages of this feature, this has been leading to increased client errors and degrading the user experience.

kpeacock · July 23, 2024, 10:11pm

Thank you for identifying this mistake! I’ve opened a PR here - fix: passing request correctly during pollForResponse Processing status by krpeacock · Pull Request #909 · dfinity/agent-js · GitHub. I don’t know of a good way to test this flow to verify the theory that this was causing the error, and the fix will resolve it, though. There isn’t any tooling to produce a Processing response back from a test replica that I know of

timo · July 24, 2024, 4:58am

So the correct way to handle it is simply to retry the call?

nadiein · October 22, 2024, 2:17pm

heya frens,

after updating agent-js to v2.1.2 we encountered this error again.
is anyone else facing it again?

@kpeacock, by any chance do you already aware of it?

thanks

kpeacock · October 22, 2024, 3:51pm

@timo also called this out to me. It’s on my radar and important, but I have to get a couple other things taken care of before I can investigate fully. It’s possible this is happening more frequently with the higher load incidences, but I’ll hunt for a flaw in the logic

Topic		Replies	Views
Agent-JS 0.14.0 - AssetManager & Retry logic JavaScript	5	690	February 21, 2023
Upgrade agent-js to resolve a Chrome issue Developers	9	715	September 14, 2023
Ingress Expiry Issue - Your Input Needed! Developers	8	197	October 2, 2024
Intermittent "Signature verification failed" errors from AgentJS Developers	6	385	May 9, 2024
I having trouble transferring ICP from the NNS Dapp General	15	144	October 14, 2024

Timestamp failed to pass the watermark after retrying the configured 3 times

Related topics