Cosmos-sdk: x/auth: Make the only requirement on sequence number be increasing

Interesting thought @ValarDragon. Regarding your example, would the user simply not be able to query the latest state if they forget (command line, API, etc..)?

I agree thought that if we do allow arbitrary values, they should be within a small-ish range.

I'd like to be able to broadcast a Tx without needing the latest state. (I would just need a vague notion of approximately where my sequence number is)

A more compelling reason, which i just though of is the following. Suppose I'm sending out a ton of txs b/c I'm doing something automated. Txs 1-10 go through, tx 11 gets dropped. (Network connectivity issues) 12-20 go through. 12-20 can't be included in a block, since 11 wasn't there. This is a bad situation for my bot that needed high throughput.

I agree thought that if we do allow arbitrary values, they should be within a small-ish range.

I went back and forth on this point a bit before posting the issue. (Actually changed my mind after I posted it, if you see the edits haha)

My thinking is that its cleaner if we drop replay protection on maxed account sequence number. (Its something I think we should do anyway, just right now it seems entirely unfeasible to occur) With that in mind, allowing any increasing sequence number is cleaner, and takes less computation. (Therefore each tx in principle requires less gas)

I don't like the arbitraryness of fixed sequence number within a range, but I can't think of a real use case where that becomes a problem.

I see...interesting. I could see how having the range would add some unnecessary and potentially ugly complexity. Do we have to worry about any attack vectors here?

Good point. Noone can make you sign a tx you didn't agree to. So the only concerns would be applications that set your sequence number too high, so that you would hit the 2**64 limit, and then lose replay protection. We can't rely on this being clear from looking at an applications source code, since you can do super cool obfuscated stuff with metaprogramming. (Espec. with closed source applications)

The threat model is something like a ledger app that just doesn't display the sequence number when asking you to sign. (Something that can query your privkey) Any app that holds your private key already has the ability to do much worse than this. Anything that queries your privkey to sign though should display the entire sequence number for you to confirm. If the threat model is the adversary wrote the code you use to display the tx when querying the privkey, then this is all a moot point as they could just display the tx you want, and send all the funds elsewhere. This is just a slightly more subtle attack.

I guess we need to agree on if were fine with this more subtle attack vector existing on tx display code. I think its fine, since they could already do the more obvious "send all funds to my own acct instead of what I displayed" trick.

If we're not fine with it, I think we should definitely use ranges. (Every thing else that I could think of had more complexity + another arbitrary parameter)

Suppose I'm sending out a ton of txs b/c I'm doing something automated.

In most cases, one multi-Msg transaction is probably a better solution, but I agree that we should still change the sequence logic.

I guess we need to agree on if were fine with this more subtle attack vector existing on tx display code. I think its fine, since they could already do the more obvious "send all funds to my own acct instead of what I displayed" trick.

This is an attack that already requires a great deal of access, but I still think it's worth worrying about - users are well-trained to read destination addresses on Ledger screens, less so sequence numbers. If I can trick you once into signing with a maximum sequence, I can then replay that transaction any number of times.

If we're not fine with it, I think we should definitely use ranges. (Every thing else that I could think of had more complexity + another arbitrary parameter)

Agreed, the range doesn't even really need to be a governance parameter, it can just be a constant (say 100) to avoid store reads. It's unlikely anyone would ever need more than that - if they did, it could be changed by a SoftwareUpgradeProposal.

Fair point. I propose that we make the constant 256. (There isn't a solid defense for this number in particular, it is just an arbitrary parameter)

The security then becomes 2^56 txs signed on such a malicious display device.

@sunnya97 made a good point.
You may want to be able to guarantee that txs are processed in a certain order. However that is still possible here (as noted by @cwgoes). If tx 1 has sequence number 0, then give tx 2 has sequence number 1 + max sequence_num_increment, which will guarantee tx 1 must come before tx 2.

But that would only work if the increment was done by sequence_num_increment, right? What if the increment was done by a small factor?

It's worth thinking about how we can improve account and sequence structure but I don't think we should do this right now.

"I dont know the state and dont want to check so I'm just going to do something that seems good enough" does not seem like a solid approach for engaging with cryptographic protocols, and isn't something we should encourage at the protocol level, so I'm not a big fan of the particular approach being proposed here.

Folks have been dealing with this in ethereum for a long time and it seems fine and well understood. Surely improvements could be made, but I'm not sure if this is the right way, or that we should do it now. If anything, I would prefer to allow a new kind of account that uses a random sequence say, but pays for the extra cost of having to store / lookup that value.

Anyways, I'm going to close this for now. We should try to move these larger protocol design questions to the forum and keep github focused on the immediate needs of the software. Please feel free to pick this up there.

Thanks guys!