BLDer DAO governance using arbitrary code injection: swingset.CoreEval

Capability security enables the concise composition of powerful patterns of cooperation without vulnerability. For a quick 3 minute intro, see:

Because so much software does not take advantage of capability security, the Open Web Application Security Project (OWASP) defines Code Injection as …

… the general term for attack types which consist of injecting code that is then interpreted/executed by the application.

But code injection isn’t the problem. Excess authority is the problem.

In fact, since Hardened JavaScript provides capability security so that we can provide each component with the least authority it needs, the Agoric chain uses code injection as a flexible extension to cosmos governance: swingset.CoreEval.

One way we use this mechanism is to start new instances of the PSM contract to enable more tokens to trade for IST. We tested this feature shortly before launch:

That proposal contains this JavaScript code:

const anchorOptions = {
  keyword: 'USDC_axl',
  proposedName: 'USD Coin',
  decimalPlaces: 6,
  denom: 'ibc/4B53406F2FD21ABE4EF15977D0585D0C1B9C1DBBA1F911BD1463F42B067FB4D8',

const config = {
  options: { anchorOptions },
  WantMintedFeeBP: 2n,
  GiveMintedFeeBP: 5n,
  MINT_LIMIT: 16_000_000000n,

const main = async permittedPowers => {
  console.log('starting PSM:', anchorOptions);
  const {
    consume: { feeMintAccess: _, ...restC },
  } = permittedPowers;
  const noMinting = { consume: restC, ...restP };
  await Promise.all([
    startPSM.makeAnchorAsset(noMinting, {
      options: { anchorOptions },
    startPSM.startPSM(permittedPowers, config),
  console.log('started PSM:', config);

// "export" from script

When the voting period ends, provided the proposal passes, that code is evaluated and passed just the permittedPowers specified in another part of the proposal. Since the PSM contract needs to mint new IST, the permitted powers includes that capability, called feeMintAccess from its name in the Zoe API. (Note that feeMintAccess is stripped out of the powers passed to makeAnchorAsset, since that function does not need it.) BLDer DAO stakers should be very careful with proposals that permit feeMintAccess!

For reference: the startPSM.makeAnchorAsset and startPSM.startPSM functions come from packages/inter-protocol/src/proposals/startPSM.js.

To dig a little deeper on capability security, check out:

Acknowledgement: the swingset.CoreEval feature started with a Jan 2021 design sketch by Michael Fig:


So every BLDer DAO will have the power to mint whatever they want? whats stopping them to mint to infinite?

There is just one BLDer DAO. The BLDer DAO is sort of a nickname for the BLD stakers who decide chain-wide governance proposals.

self-interest, I suppose. I expect their investment in BLD would be negatively affected by starting a contract that mints IST that isn’t well backed.

1 Like