Thanks @evan for preparing that analysis! Here is my attempt at applying a more exhaustive security considerations framework to PFM.
Battle tested
Which chains have PFM deployed?
| Chain | PFM | Deployed since |
|---|---|---|
| Cosmos Hub | Yes | 2021-11-24 |
| DYDX | No | N/A |
| Noble | Yes | 2023-01-16 |
| Osmosis | Yes | 2023-02-08 |
A more exhaustive list sourced from @bpiv400:
- Bitsong - bitsong-2b
- Assetmantle - mantle-1
- Persistence - core-1
- Neutron - neutron-1
- Juno - juno-1
- Stride - stride-1
- Dymension - dymension_1100-1
- Quicksilver - quicksilver-2
- Omniflixhub - omniflixhub-1
- Secret - secret-4
- Cosmoshub - cosmoshub-4
- Stargaze - stargaze-1
- Xpla - dimension_37-1
- Osmosis - osmosis-1
- Terra2 - phoenix-1
- Carbon - carbon-1
- Teritori - teritori-1
- Comdex - comdex-1
- Composable - centauri-1
- Oraichain - Oraichain
- Noble - noble-1
- Migaloo - migaloo-1
- Injective - injective-1
Have there been any known exploits?
- Mandrake vulnerability: incorrect accounting led to a discrepancy between assets in escrow account ≠ assets on counterparty chain. The fix is in this PR.
- Pigeonfall vulnerability: could cause a chain halt. The fix is in this PR.
- ViperStrike vulnerability: could cause a chain halt. The fix is in this PR.
Blast radius
Could cause a chain halt (based on Pigeonfall vulnerability). Could result in user temporarily losing access to funds (based on PR description).
Audit history
PFM hasn’t been audited yet. Strangelove plans to have Zellic audit PFM in May / June.
Complexity
The PFM implementation exists here. It spans:
- 51 Go files for implementation + tests + types
- 21 Go files for implementation
- 2048 lines of Go code
Note: file / line count is an extremely crude proxy for complexity.
Unforeseen consequences
The IBC memo field is unbounded. Since one byte in the IBC memo field costs 10 gas (see issue) and blob.GasPerBlobByte=8, we expect blobs to remain more favorable for large data. However, if PFM usage spikes, blocks may be filled with IBC memo data instead of blobs.
We may consider limiting the memo field to mitigate this.
Chains should ensure that there is some length limit on the entire packet data to ensure that the packet does not become a DOS vector.
Conclussion
I’m in favor of including PFM in the Lemongrass upgrade.
Note on audit timelines: the celestia-app v2 audit is tentatively scheduled for late May / early June which coincides with the Zellic audit of PFM. Celestia should be prepared to upgrade the PFM dependency shortly before activation of the Lemongrass upgrade if the Zellic audit identifies any critical issues.