Namada Shield Expedition is the Worst and Not Fair Competition 💩💩💩💩

I am joined with my friend as a team to compete in Namada Shield Expedition with user id tpknam1qz3eh8gfqgr2m44cfu3pg6sun4wgt75jwc8jvd85ax0wv24tfrrsc78gjet .

In the competition my friend make mistake and he create telegram bot that copying code from other submission. I know its fault and should not be accepted.

So, all of my submission is banned.

But.. yesterday after i read finasl S-class review. Some user has tagged as "copying code" same with me. But they are not banned from all submission. They only banned from single submission.

So, is it fair to me Namada ?

You have biggest not fair competition, Namada.

Title:

• Finding Security Vulnerabilities.

Summary:

• Crash when executing an tx-result transaction.

Details:

• When executing the command namadac tx-result --tx-hash "DuyTestSomething '&& 1=1" during testing phases to assess SQL injection vulnerabilities, the application crashes. The error message received is as follows:

The application panicked (crashed).
Message:  Unable to query for transaction with given hash: 
   0: response error
   1: Internal error: 
      parse error near PegText (line 1 symbol 17 - line 1 symbol 40):
      "'DuyTestSomething \\'"
       (code: -32603)

Location:
   /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/flex-error-0.4.4/src/tracer_impl/eyre.rs:10

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
Location: /home/runner/work/namada/namada/crates/sdk/src/rpc.rs:683

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.

Steps to Reproduce:

1. Execute the command namadac tx-result --tx-hash "DuyTestSomething '&& 1=1".
2. Observe the application crash.

Expected Behavior:

• The application should handle the SQL injection test gracefully, providing appropriate error handling or rejecting the input.

Actual Behavior:

• The application crashes with the provided error message when encountering the SQL injection test.

Additional Information:

• This issue poses a potential security risk as it indicates vulnerability to SQL injection attacks.
• The error message suggests an internal parsing error near the provided input 'DuyTestSomething \'.

Environment:

• Operating System: Linux Ubuntu 22.04.4 LTS
• Application Version: v0.31.9

Proposed Solution:

• Review the code handling transaction queries to identify and fix the parsing error.
• Implement input validation or sanitization to prevent SQL injection vulnerabilities.
• Consider adopting parameterized queries or ORM frameworks to mitigate SQL injection risks.

namadac unjail-validator --validator sashacrypto
Looking-up public key of tnam1qymhasuf3rasysxgxxesg30f3agst6mehsxzsz7a from the ledger...
Transaction added to mempool.
Wrapper transaction hash: 04228B993BE67CD1ADE372EA553D5FF2CD321F748C46B92E09212E925FCD1F5C
Inner transaction hash: 37E960C41210BE1FFC449443D6E6FFD5BF943D273E557C40E0BC58FC4F6ED2C7
Wrapper transaction accepted at height 242863. Used 21 gas.
Waiting for inner transaction result...
Transaction was rejected by VPs: [
"tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa"
].
Changed keys: [
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa/state/last_update",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa/state/lazy_map/data/000000000003G",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa/state/lazy_map/data/000000000003K",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa/state/lazy_map/data/000000000003O",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa/state/lazy_map/data/0000000000040",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa/state/oldest_epoch",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1qymhasuf3rasysxgxxesg30f3agst6mehsxzsz7a/state/last_update",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1qymhasuf3rasysxgxxesg30f3agst6mehsxzsz7a/state/lazy_map/data/000000000003M",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1qymhasuf3rasysxgxxesg30f3agst6mehsxzsz7a/state/lazy_map/data/000000000003O",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1qymhasuf3rasysxgxxesg30f3agst6mehsxzsz7a/state/lazy_map/data/0000000000040",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator/#tnam1qymhasuf3rasysxgxxesg30f3agst6mehsxzsz7a/state/oldest_epoch",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator_set_positions/lazy_map/data/0000000000040/data/#tnam1q9xenqd37vg6tpz8ks7wwz2fks3mm9529yepfkqa",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator_set_positions/lazy_map/data/0000000000040/data/#tnam1qymhasuf3rasysxgxxesg30f3agst6mehsxzsz7a",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator_sets/below_capacity/lazy_map/data/0000000000040/data/FVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVH356NVG/data/000000000000A",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator_sets/consensus/lazy_map/data/0000000000040/data/000000000000000000000000000000000000000000000ESQP800/data/0000000000006",
"#tnam1qgqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqc8j2fp/validator_sets/consensus/lazy_map/data/0000000000040/data/0000000000000000000000000000000000000000000010PVRA00/data/0000000000000"

cat proposal.json
{
"proposal": {
"id": 310,
"content": {
"title": "Integration Proposal",
"authors": "StakePool",
"discussions-to": "forum.namada.net/testnet",
"created": "2024-03-08T12:00:00Z",
"license": "MIT",
"abstract": "This proposal testnet",
"motivation": "Integrating.",
"details": "The proposal techical specifications for the integration.",
"requires": "0"
},
"author": "tnam1q8q0g5j4k9ume9lapusf7wz9z3n7t8g4mszfsmtq",
"voting_start_epoch": 30,
"voting_end_epoch": 32,
"grace_epoch": 34
},
"data": [48,120,54,48,54,48,52,48,53,50,54,48,52,48,56,48,53,49,57,48,56,49,48,49,54,48,52,48,53,50,56,48,54,48,48,98,56,49,53,50,54,48,50,48,48,49,55,102,52,56,54,53,50,48,48,98,56,49,53,50,53,54,48,49,57,48,56,48,53,49,57,48,54,48,49,57,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,8,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,53,50,53,48,54,48,48,98,56,49,5]
}

namada client query-proposal --proposal-id 305 --node http://localhost:26657
Last committed epoch: 30
Proposal Id: 305
Type: Default
Author: tnam1q8q0g5j4k9ume9lapusf7wz9z3n7t8g4mszfsmtq
Content: {"abstract": "This proposal testnet", "authors": "StakePool", "created": "2024-03-08T12:00:00Z", "details": "The proposal techical specifications for the integration.", "discussions-to": "forum.namada.net/testnet", "license": "MIT", "motivation": "Integrating.", "requires": "0", "title": "Integration Proposal"}
Start Epoch: 30
End Epoch: 32
Grace Epoch: 34
Status: on-going
Data:

I'm running namada v0.31.0 with cometbft v0.37.2 and downloaded the genesis tar shielded-expedition.b40d8e9055. I un-tar'd it and moved it to ~/.local/share/namada/. After setting the following environment variables:

export NAMADA_CHAIN_ID="shielded-expedition.b40d8e9055"
export CHAIN_ID=$NAMADA_CHAIN_ID
export VALIDATOR_ALIAS="okwme"
export BASE_DIR="~/.local/share/namada"
export NAMADA_NETWORK_CONFIGS_SERVER="https://github.com/anoma/namada-shielded-expedition/releases/download/shielded-expedition.b40d8e9055"
export CMT_LOG_LEVEL="p2p:none,pex:error"
export NAMADA_LOG="info"

I run namada node ledger run and get the following error:

> namada node ledger run
The application panicked (crashed).
Message:  Missing genesis files:
   0: Couldn't parse Tokens TOML from /root/.local/share/namada/shielded-expedition.b40d8e9055/tokens.toml
   1: missing field `address` for key `token.NAAN` at line 1 column 1

Location:
   crates/apps/src/lib/config/genesis/utils.rs:30

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
Location: crates/apps/src/lib/cli/context.rs:147

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.

Title:

• Finding Security Vulnerabilities.

Summary:

• Crash when executing an tx-result transaction.

Details:

• When executing the command namadac tx-result --tx-hash "DuyTestSomething '&& 1=1" during testing phases to assess SQL injection vulnerabilities, the application crashes. The error message received is as follows:

Message:  Unable to query for transaction with given hash: 
   0: response error
   1: Internal error: 
      parse error near PegText (line 1 symbol 17 - line 1 symbol 40):
      "'DuyTestSomething \\'"
       (code: -32603)

Location:
   /home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/flex-error-0.4.4/src/tracer_impl/eyre.rs:10

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.
Location: /home/runner/work/namada/namada/crates/sdk/src/rpc.rs:683

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.

Steps to Reproduce:

1. Execute the command namadac tx-result --tx-hash "DuyTestSomething '&& 1=1".
2. Observe the application crash.

Expected Behavior:

• The application should handle the SQL injection test gracefully, providing appropriate error handling or rejecting the input.

Actual Behavior:

• The application crashes with the provided error message when encountering the SQL injection test.

Additional Information:

• This issue poses a potential security risk as it indicates vulnerability to SQL injection attacks.
• The error message suggests an internal parsing error near the provided input 'DuyTestSomething \'.

Environment:

• Operating System: Linux Ubuntu 22.04.4 LTS
• Application Version: v0.31.9

Proposed Solution:

• Review the code handling transaction queries to identify and fix the parsing error.
• Implement input validation or sanitization to prevent SQL injection vulnerabilities.
• Consider adopting parameterized queries or ORM frameworks to mitigate SQL injection risks.

The hard fork procedure and state migration are tricky and problematic for docker setups. I created this issue to discuss potential workarounds with the team and pilots using docker.

Issues

1. the namada binary inside docker image ghcr.io/anoma/namada:namada-v0.31.10 is on version 0.31.9 instead of 0.31.10
2. you can't download and run pre-built binaries https://github.com/anoma/namada/releases/tag/v0.31.10 inside the previous docker containers because it requires a higher version of glibc GLIBC_2.33 but the version on bullseye image is GLIBC_2.31

Workarounds

I made an intermediate image just for the migration step. something like this :

FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y \
    curl \
    nano \
    jq \
    dnsutils \
    wget \
    perl \
    iputils-ping \
    && apt-get clean

RUN useradd namada
RUN mkdir /hardfork && chown namada:namada /hardfork
USER namada
COPY hardfork /hardfork
WORKDIR /hardfork

The hardfork directory has the following structure (download the files manually before building the docker image)

hardfork
├── make-db-migration
├── namada-0.31.10
├── namadac-0.31.10
├── namadan-0.31.10
├── namadaw-0.31.10
└── wasm
    ├── checksums.json
    └── vp_user.6065919f895d43099a567cb120ebdfa0c99c3ba4e803fe99159a14bd8f97f0ea.wasm

build and tag this image. i call it hardfork

Steps

1. wait until node reaches the target block and suspends, then stop and remove the container
2. MAKE A BACKUP from volume/bindmount somewhere else
3. run a new container with hardfork image we just created earlier, with Exact mount paths. exec into it.
4. inside the container cd into /hardfork path. now if you mounted the namada data dir correctly, you have everything needed to generate migrations.json file
5. wait for team to announce the shasum of the file, if everything is correct copy it into the volumes directory before leaving the intermediate container
6. from this step you can use the official docker image ghcr.io/anoma/namada:namada-v0.32.1 for your validators container. make sure before running it with the default command, change its entry point and exec into it, and follow the instructions for the rest of the migration

Please share your thoughts. did I miss anything? is there a better and cleaner approach?

When I run:

docker run ghcr.io/anoma/namada:namada-main client utils join-network --chain-id shielded-expedition.b40d8e9055

I get:

The application panicked (crashed).
Message:  called `Result::unwrap()` on an `Err` value: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }
Location: /app/crates/apps/src/lib/client/utils.rs:73

Backtrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.
Run with RUST_BACKTRACE=full to include source snippets.

With docker run -e RUST_BACKTRACE=1 ...:

The application panicked (crashed).
Message:  called `Result::unwrap()` on an `Err` value: Os { code: 13, kind: PermissionDenied, message: "Permission denied" }
Location: /app/crates/apps/src/lib/client/utils.rs:73

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                                ⋮ 8 frames hidden ⋮                               
   9: namada_apps::client::utils::join_network::{{closure}}::hbfc8b5b4f9eafb86.102733<unknown>
      at <unknown source file>:<unknown line>
  10: namada_apps::cli::client::<impl namada_apps::cli::api::CliApi>::handle_client_command::{{closure}}::h48f18e003e45c63a.102675<unknown>
      at <unknown source file>:<unknown line>
  11: namadac::main::{{closure}}::haa7ba86a899e0ea5
      at <unknown source file>:<unknown line>
  12: namadac::main::hc3878379795d42b5
      at <unknown source file>:<unknown line>
  13: std::sys_common::backtrace::__rust_begin_short_backtrace::h5544c24a7173b37a
      at <unknown source file>:<unknown line>
  14: main<unknown>
      at <unknown source file>:<unknown line>
  15: __libc_start_main<unknown>
      at <unknown source file>:<unknown line>
  16: _start<unknown>
      at <unknown source file>:<unknown line>

Run with COLORBT_SHOW_HIDDEN=1 environment variable to disable frame filtering.
Run with RUST_BACKTRACE=full to include source snippets.

When we try to submit S class task , we've get an error "User is not SE participant". Wallet is double checked in the extension, and have the correct address.

Title:
Finding Security Vulnerabilities

Summery:
A crash is raised when execute ibc-transfer which rpc is with "http://" or check balance via namadac --node with "http://".

Details:

1. Install namada v0.31.4 CLI without node running.
2. Generate IBC relayer for namada SE and osmosis
3. ibc-transfer from SE to osmosis with rpc 'http://94.130.90.47:26657' which's result in crash
4. ibc-transfer from SE to osmosis with rpc '94.130.90.47:26657' which's good.
5. Check SE balance with rpc 'http://94.130.90.47:26657' which's result in crash

Process:
IBC Channel:

• id: "shielded-expedition.88f17d1d14", ChannelId: "channel-42", connection_id: "connection-64"
• id: "osmo-test-5",ChannelId: "channel-5557", connection_id: "connection-1922"

namada --version
Namada v0.31.4

namadaw find --alias se_wallet
Found transparent keys:
Alias "se_wallet" (encrypted):
Public key hash: EBA13A31D3EFA00AD18C5899518D8C619DB1B4F9
Public key: tpknam1qrcr98xtauxv292mqzuyz6nkll8vpm0xvtjcdkpq9lp94pujcqktyxka4uk
Found transparent address:
"se_wallet": Implicit: tnam1qr46zw3360h6qzk333vfj5vd33semvd5ly8cyl00

• Crash when rpc with "http://" -
  namadac --chain-id shielded-expedition.88f17d1d14 --base-dir /home/namadexer/.local/share/namada balance --node http://94.130.90.47:26657 --owner se_wallet
  The application panicked (crashed).
  Message: called Result::unwrap() on an Err value: "Invalid Tendermint address: \n 0: \u{1b}[91merror parsing data: invalid address scheme: "http://94.130.90.47:26657"\u{1b}[0m\n\nLocation:\n \u{1b}[35m/home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/flex-error-0.4.4/src/tracer_impl/eyre.rs\u{1b}[0m:\u{1b}[35m10\u{1b}[0m\n\nBacktrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.\nRun with RUST_BACKTRACE=full to include source snippets."
  Location: /home/runner/work/namada/namada/crates/apps/src/lib/cli/context.rs:246

• Succeed when rpc without "http://" -
  namadac --chain-id shielded-expedition.88f17d1d14 --base-dir /home/namadexer/.local/share/namada balance --node 94.130.90.47:26657 --owner se_wallet
  naan: 15

• Crash when rpc with "http://" -
  namadac --base-dir /home/namadexer/.local/share/namada
  ibc-transfer
  --amount 1
  --source se_wallet
  --receiver osmo1wdj0pt7qmphdj6wermp0kq97rkwnxnzlvpsz42
  --token naan
  --channel-id channel-42
  --node http://94.130.90.47:26657
  --memo tpknam1qqjgef9zsd0gsyqn3af9nrgxyhapef3cjn5cyxpjcjgtq60de6502p8rf8h
  The application panicked (crashed).
  Message: called Result::unwrap() on an Err value: "Invalid Tendermint address: \n 0: \u{1b}[91merror parsing data: invalid address scheme: "http://94.130.90.47:26657"\u{1b}[0m\n\nLocation:\n \u{1b}[35m/home/runner/.cargo/registry/src/index.crates.io-6f17d22bba15001f/flex-error-0.4.4/src/tracer_impl/eyre.rs\u{1b}[0m:\u{1b}[35m10\u{1b}[0m\n\nBacktrace omitted. Run with RUST_BACKTRACE=1 environment variable to display it.\nRun with RUST_BACKTRACE=full to include source snippets."
  Location: /home/runner/work/namada/namada/crates/apps/src/lib/cli/context.rs:246

• Succeed when rpc without "http://" -
  namadac --base-dir /home/namadexer/.local/share/namada
  ibc-transfer
  --amount 1
  --source se_wallet
  --receiver osmo1wdj0pt7qmphdj6wermp0kq97rkwnxnzlvpsz42
  --token naan
  --channel-id channel-42
  --node 94.130.90.47:26657
  --memo tpknam1qqjgef9zsd0gsyqn3af9nrgxyhapef3cjn5cyxpjcjgtq60de6502p8rf8h
  Enter your decryption password:
  Transaction added to mempool.
  Wrapper transaction hash: 879DF7CC48070392E128ED85B69BA1B26E98CE3A6B6CAA28D1BA88DF5F9CE3B7
  Inner transaction hash: 82F5A5C3A4094DAD43E0F158B9EFDB8788D2BC181DBCC42CEFC847D0A4987FE3
  Wrapper transaction accepted at height 14237. Used 26 gas.
  Waiting for inner transaction result...
  Transaction was successfully applied at height 14238. Used 6193 gas.

It is impossible to scroll beyond 5 pages in the leaderboard, it always infinity returns back to the first page
Link: https://namada.net/shielded-expedition/crew-member-rankings

Title:
Finding Security Vulnerabilities

Summary:
Crash when executing an unbonding transaction

Details:

1. Executing an unbonding transaction;
2. I tried to unbond the available tokens (which are displayed before the transaction is executed), also I think it is worth considering that at the time I tried to do this my validator was in jail;
3. I sent a transaction of the form namadac unbond --validator "" --source "" --amount "" --memo "" --node ""(I'm not sure if I specified the "--source" flag, so that could also be the cause of the error).

Our validator address: tnam1q9raezgmgfz6rr68uuv47y8rn0gnufl9zqvdaqes

Error message:

Transaction added to mempool.
Wrapper transaction hash: A2A950B8EB4DA17DA1633F6243387BC26673D0DF3BF7E57860E3EEDBA754F247
Inner transaction hash: 32EF430F3072F953B5C2A719224FAC9A3E4C9EB69CDA476B86D458E0608094DB
Wrapper transaction accepted at height 7676. Used 23 gas.
Waiting for inner transaction result...
Transaction failed.
Details: {
  "inner_tx": null,
  "info": "Error trying to apply a transaction: Transaction runner error: Failed running wasm with: RuntimeError: unreachable\n    at <unnamed> (<module>[1043]:0x908bc)\n    at <unnamed> (<module>[44]:0x263ff)\n    at <unnamed> (<module>[38]:0x260ad)\n    at <unnamed> (<module>[16]:0x2060c)\n    at <unnamed> (<module>[1089]:0x92471)",
  "log": "",
  "height": 7677,
  "hash": "32EF430F3072F953B5C2A719224FAC9A3E4C9EB69CDA476B86D458E0608094DB",
  "code": "WasmRuntimeError",
  "gas_used": "5234"
}

I have already described this bug on Discord. Link to the message(se-100): https://discord.com/channels/833618405537218590/1192974425423892550/1205222804971061268