Upgrade-12 Security Bulletin

This bulletin highlights security improvements in the recent Agoric upgrade, agoric-upgrade-12.

CometBFT Advisory ASA-2023-002 aka p2p storms

#8483: Mitigate p2p storm CometBFT advisory

• This advisory pertains to a default CometBFT configuration that’s excessively permissive for common use cases, and may be abused to affect block times, thereby affecting chain availability through increased block times and nodes falling out of consensus, with the possibility of downstream effects leading to chain halt.
• Our initial mitigation is to tune consensus parameter (BlockParams.MaxBytes) to 5MB, a more reasonable size for our use cases.
• We are additionally exploring and testing more of the mitigations recommended. It is a reminder that it’s important to explore tuning and implications of consensus parameters, especially as our chain evolves!

Virtual storage module path validation

#8337: vstorage module path validation regular expression is incorrect

• This is an additional improvement to the security vulnerability we patched in our previous release, agoric-upgrade-11.
• See previous notice for more details on related issues fixed in agoric-upgrade-11.

For a full list of changes that include non-security fixes, see the agoric-upgrade-12 release notes.

If you need to get in touch with the Agoric security team, do not hesitate to email us at security@agoric.com. Reminder that we have a bug bounty and reward vulnerabilities reported to us via HackerOne.