Skip to content

docs: add transaction malleability docs (backport #23958) #24050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 18, 2025
Merged

docs: add transaction malleability docs (backport #23958) #24050

merged 2 commits into from
Mar 18, 2025

Conversation

mergify[bot]
Copy link
Contributor

@mergify mergify bot commented Mar 18, 2025

Description

@aljo242 @technicallyty I wasn't sure where to put this so for now it's just in docs/ so let me know your thoughts.

Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title, you can find examples of the prefixes below:

  • confirmed ! in the type prefix if API or client breaking change

  • targeted the correct branch (see PR Targeting)

  • provided a link to the relevant issue or specification

  • reviewed "Files changed" and left comments if necessary

  • included the necessary unit and integration tests

  • added a changelog entry to CHANGELOG.md

  • updated the relevant documentation or specification, including comments for documenting Go code

  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

Please see Pull Request Reviewer section in the contributing guide for more information on how to review a pull request.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic, API design and naming, documentation is accurate, tests and test coverage

Summary by CodeRabbit

  • Documentation
    • Expanded the architectural documentation with a new accepted entry focused on transaction malleability risks. The update introduces an analysis of potential risks related to transaction manipulation and provides recommendations for enhancing transaction signing processes.
This is an automatic backport of pull request #23958 done by [Mergify](https://mergify.com).

@aaronc @mergify
docs: add transaction malleability docs (#23958)
123273a 
Co-authored-by: Alex | Interchain Labs <[email protected]>
(cherry picked from commit 9f8a03f)

# Conflicts:
#	docs/architecture/README.md
@mergify mergify bot added the conflicts label Mar 18, 2025
@mergify mergify bot requested a review from a team March 18, 2025 17:39
@mergify Mergify
Copy link
Contributor Author

mergify bot commented Mar 18, 2025

Cherry-pick of 9f8a03f has failed:

On branch mergify/bp/release/v0.53.x/pr-23958
Your branch is up to date with 'origin/release/v0.53.x'.

You are currently cherry-picking commit 9f8a03fa4.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	new file:   docs/architecture/adr-076-tx-malleability.md

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   docs/architecture/README.md

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 18, 2025
edited
Loading

⚠️ govulncheck found vulnerabilities:

mkdir -p /home/runner/work/cosmos-sdk/cosmos-sdk/build/
GOBIN=/home/runner/work/cosmos-sdk/cosmos-sdk/build go install golang.org/x/vuln/cmd/govulncheck@latest
go: downloading golang.org/x/vuln v1.1.4
go: downloading golang.org/x/telemetry v0.0.0-20240522233618-39ace7a40ae7
go: downloading golang.org/x/mod v0.22.0
go: downloading golang.org/x/tools v0.29.0
/home/runner/work/cosmos-sdk/cosmos-sdk/build/govulncheck ./...
=== Symbol Results ===

Vulnerability #1: GO-2025-3443
    CometBFT allows a malicious peer to stall the network by disseminating
    seemingly valid block parts in github.com/cometbft/cometbft
  More info: https://pkg.go.dev/vuln/GO-2025-3443
  Module: github.com/cometbft/cometbft
    Found in: github.com/cometbft/[email protected]
    Fixed in: github.com/cometbft/[email protected]
    Example traces found:
      #1: testutil/network/util.go:74:24: network.startInProcess calls service.BaseService.Start, which eventually calls types.Part.ValidateBasic
      #2: testutil/network/util.go:74:24: network.startInProcess calls service.BaseService.Start, which eventually calls types.Part.ValidateBasic
      #3: client/rpc/block.go:56:36: rpc.QueryBlocks calls local.Local.BlockSearch, which eventually calls types.PartFromProto
      #4: client/rpc/block.go:56:36: rpc.QueryBlocks calls local.Local.BlockSearch, which eventually calls types.PartFromProto

Your code is affected by 1 vulnerability from 1 module.
This scan also found 0 vulnerabilities in packages you import and 2
vulnerabilities in modules you require, but your code doesn't appear to call
these vulnerabilities.
Use '-show verbose' for more details.
make: *** [Makefile:155: vulncheck] Error 3

@aljo242 aljo242 merged commit 998a124 into release/v0.53.x Mar 18, 2025
43 of 44 checks passed
@aljo242 aljo242 deleted the mergify/bp/release/v0.53.x/pr-23958 branch March 18, 2025 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
conflicts Type: ADR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@aljo242 @aaronc