RiB Newsletter #29

November 03, 2021

Welcome to the #29 edition of Rust in Blockchain, the monthly newsletter about Rust, distributed systems, cryptography, and other industry topics. Previous: #28.

With total value locked (TVL) measurements going up, up, up across the blockchain world, Ethereum extremely congested, and liquidity providers fleeing to blockchains with high yields and low fees, there are huge efforts on many chains to get dapps out fast and attract market share. In the Rust world some notable developments:

NEAR launched an $800 million ecosystem fund and has been quietly climbing up the DeFi TVL charts.
Secret Network can now bridge to multiple chains and its SecretSwap has enough liquidity that it will soon be a viable route for discreetly moving assets between the burgeoning multi-chain ecosystem.
The Internet Computer (previously DFINITY) has been cranking out blog posts, both about technical matters and partnerships. They are running a developer grants program.
Nervos has launched their Force Bridge to connect to Ethereum, and is working to add EVM compatibility.
Polkadot has been running a high-profile auction for parachain slots on its canary network, Kusama, and will soon begin auctions for the main Polkadot network. Some of the Kusama parachains, notably Moonriver, are already up and running and attracting EVM-compatible dapps like Sushi.
Solana has turned into a bit of a juggernaut, with huge financial backing, and TVL only behind Ethereum and Binance Smart Chain. It has been attracting dapps and protocols that were previously EVM-only, like Lido and RenVM; but it also has a strong stable of its own Solana-native dapps.

In RiB news, this month we’ve added a “Security Advisories” section, summarizing all the Rust security advisories of the month from RustSec, and GitHub Advisories. Seeing them all in one place is revealing: lots of security-relevant bugs in crates used in, or created by, the blockchain industry.

This month, upon prompting, we added a Zcash donation address, and immediately received 3 donations. Thanks to the Zcash twitter community! RiB donations are 100% earmarked for supporting developers through event sponsorships, etc. The donation addresses can be found on the sidebar of the website.

Thanks

Thanks to contributors: Adam Dossa, Awa Sun Yin, bbyleggo123, Dan Shields, KΞlchΞ⟠, Squirrel, Brian Anderson and Aimee Zhu. Thank you for your help!

RiB needs help to keep up with Rust blockchain projects. If you follow a particular project, or otherwise find information that is beneficial to the Rust & blockchain community, please contribute to the next issue by submitting a PR to the next draft.

Project Spotlight

Each month we like to shine a light on a notable Rust blockchain project. This month that project is…

mina-rs.

Mina is a new blockchain network that uses zero-knowledge proofs to validate the state of the chain without access to a full blockchain, but instead only a tiny (~22k) proof. This should enable even mobile devices to participate in the network as full validators, requiring less trust than today’s situation where most clients are connecting to other peoples’ full nodes hosted in the cloud. They are calling this style of chain a “succinct blockchain”, and have caught the attention of a number of other projects, forming partnerships to bring the idea to other chains.

mina-rs is an implementation of Mina in Rust, developed by ChainSafe. It is developed not only with mobile environments in mind, but WASM too, which suggests we’ll be able to embed a full node directly in the browser.

Some recent information about Mina / mina-rs:

Interesting Things

Blog Posts

Papers

Projects

Shade Protocol is an array of connected privacy-preserving dApps built on Secret Network.

Security Advisories

Monthly security advisories, from RustSec, and GitHub Advisories. Bold entries here are especially relevant to blockchain projects.

RUSTSEC-2021-0120: Unsoundness in abomonation. abomonation transmutes &T to and from &[u8] without sufficient constraints.
RUSTSEC-2021-0121: Unsoundness in crypto2. Non-aligned u32 read in Chacha20 encryption and decryption.
CVE-2021-20319: coreos installer improperly verifies GPG signature when decompressing gzipped artifact. coreos-installer fails to correctly verify GPG signatures when decompressing gzip-compressed artifacts. This allows bypass of signature verification in cases where coreos-installer decompresses a downloaded OS image, allowing an attacker who can modify the OS image to compromise a newly-installed system.
CVE-2020-26281: Async-h1 request smuggling possible with long unread bodies. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications.
CVE-2021-41138: Validity check missing in Frontier. In the newly introduced signed Frontier-specific extrinsic for pallet-ethereum, a large part of transaction validation logic was only called in transaction pool validation, but not in block execution. Malicious validators can take advantage of this to put invalid transactions into a block.
CVE-2021-41149: Improper sanitization of target names. The tough library, prior to 0.12.0, does not properly sanitize target names when caching a repository, or when saving specific targets to an output directory. When targets are cached or saved, files could be overwritten with arbitrary content anywhere on the system.
CVE-2021-41150: Improper sanitization of delegated role names. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is cached or loaded, files ending with the .json extension could be overwritten with role metadata anywhere on the system.
CVE-2021-41153: Specification non-compliance in JUMPI. In evm crate < 0.31.0, JUMPI opcode’s condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check.
GHSA-v935-pqmr-g8v9: Unexpected panics in num-bigint. Two scenarios were reported where BigInt and BigUint multiplication may unexpectedly panic.