feat: add sui report #18

lspano-gif · 2025-01-10T23:25:07Z

No description provided.

Co-authored-by: stepansonsky <[email protected]>

puhtaytow

LGTM

src/chains/sui/Sui Report.md

k4m4 · 2025-01-15T12:17:54Z

src/chains/sui/Sui Report.md

+
+## Section 2: Network and Protocol Integrity 
+### 2.1 Network Architecture
+Sui is a Layer 1 blockchain that supports scalable, high-performance decentralized applications. Unlike traditional blockchain architectures, Sui employs an object-based accounting model and a modified Delegated Proof-of-Stake (DPoS) consensus mechanism. Transactions are categorized into "simple" and "complex," with simple transactions bypassing traditional consensus steps, enhancing performance. Complex transactions leverage Narwhal for data availability and Bullshark for ordering, ensuring efficiency and resilience.


Suggested change

Sui is a Layer 1 blockchain that supports scalable, high-performance decentralized applications. Unlike traditional blockchain architectures, Sui employs an object-based accounting model and a modified Delegated Proof-of-Stake (DPoS) consensus mechanism. Transactions are categorized into "simple" and "complex," with simple transactions bypassing traditional consensus steps, enhancing performance. Complex transactions leverage Narwhal for data availability and Bullshark for ordering, ensuring efficiency and resilience.

Sui is a Layer 1 blockchain that supports scalable, high-performance decentralized applications. Unlike traditional blockchain architectures, Sui employs an object-based accounting model and a modified Delegated Proof-of-Stake (DPoS) consensus mechanism. Transactions are categorized into "simple" and "complex," with simple transactions bypassing traditional consensus steps, enhancing performance. Complex transactions leverage Narwhal for data availability and Mysticeti for ordering, ensuring efficiency and resilience.

k4m4 · 2025-01-15T12:29:44Z

src/chains/sui/Sui Report.md

+- **Sponsored Transactions:** Unique mechanism allowing third parties to pay transaction fees, promoting accessibility.
+All computation fees and reward subsidies earned by a validator, minus its chosen commission rate, are shared with delegators. The validator receives the tokens charged as commission and a percentage of the rewards after removing the commission. This percentage equals the ratio of self-staked SUI against the total SUI staked to the validator. The second part of a validator’s rewards is sourced from the Storage Fund, which is funded by the storage fees involved in each transaction. Today’s validators process transactions occurring today and create data. If new validators join tomorrow, they will have to store data they were not rewarded to create. Storage fees included in each transaction fee are sent to the fund, which is used to reward tomorrow's validators with the storage fees paid today. Of note, the tokens held in the Storage Fund accrue rewards from its proportionate amount of the total staked supply.
+
+Sui’s staking mechanism requires validators to hold a minimum of 30 million SUI (high barrier relative to the market). Validators share computational rewards with delegators, fostering ecosystem-wide engagement. Sui currently operates with approx. 108 active validators, ensuring robust security and incentivizing network participation. The total number of staked assets on Sui is approximately 7.8B SUI (78.33% of total assets), The top 10 validators (inc. Mysten Labs) are operating approx 22% of the total staked assets.


Suggested change

Sui’s staking mechanism requires validators to hold a minimum of 30 million SUI (high barrier relative to the market). Validators share computational rewards with delegators, fostering ecosystem-wide engagement. Sui currently operates with approx. 108 active validators, ensuring robust security and incentivizing network participation. The total number of staked assets on Sui is approximately 7.8B SUI (78.33% of total assets), The top 10 validators (inc. Mysten Labs) are operating approx 22% of the total staked assets.

Sui’s staking mechanism requires validators to hold a minimum of 30 million SUI or $133.8 million at the time of writing (on January 15, 2025 with a SUI price of $4.46), constituting a high barrier to entry relative to the L1 market. Validators share computational rewards with delegators, fostering ecosystem-wide engagement. Sui currently operates with approx. 108 active validators, ensuring robust security and incentivizing network participation. The total number of staked assets on Sui is approximately 7.8B SUI (78.33% of total assets), The top 10 validators (inc. Mysten Labs) are operating approx 22% of the total staked assets.

src/chains/sui/Sui Report.md

k4m4 · 2025-01-15T12:36:10Z

src/chains/sui/Sui Report.md

+Sui’s smart contracts are written in Sui Move, a Rust-based programming language derived from the Move language developed at Meta. This language offers enhanced safety features, including:
+- **Type Safety:** Reduces vulnerabilities by ensuring strict data type adherence.
+- **Resource-Oriented Programming:** Prevents double-spending and unauthorized state changes by enforcing ownership and access rules.
+- **Formal Verification:** Facilitates rigorous testing and validation of smart contracts to minimize bugs.


This section seems to be talking about smart contract testing more generally rather than just formal verification.

k4m4 · 2025-01-15T12:38:23Z

src/chains/sui/Sui Report.md

+- **Type Safety:** Reduces vulnerabilities by ensuring strict data type adherence.
+- **Resource-Oriented Programming:** Prevents double-spending and unauthorized state changes by enforcing ownership and access rules.
+- **Formal Verification:** Facilitates rigorous testing and validation of smart contracts to minimize bugs.
+Testing and debugging mechanisms for Sui’s smart contracts include modular code organization, ownership rules, and structured data flow that allow developers to easily test and debug contracts. Developers are encouraged to employ local testing environments, implement explicit error-handling mechanisms, and regularly verify contracts using Move Prover. Recent updates to development tools also enhance debugging processes and streamline integration with Sui's broader ecosystem.


This paragraph seems a bit too vague. What are the recent updates to the development tools that enhance debugging, for example? The VSCode Trace Debugger extension?

k4m4 · 2025-01-15T12:40:48Z

src/chains/sui/Sui Report.md

+Testing and debugging mechanisms for Sui’s smart contracts include modular code organization, ownership rules, and structured data flow that allow developers to easily test and debug contracts. Developers are encouraged to employ local testing environments, implement explicit error-handling mechanisms, and regularly verify contracts using Move Prover. Recent updates to development tools also enhance debugging processes and streamline integration with Sui's broader ecosystem.
+
+However, historical incidents highlight the need for continuous vigilance:
+- **November 17, 2023:** An unspecified vulnerability was discovered and promptly patched across the mainnet, testnet, and devnet. While the issue did not escalate, it underscores the importance of proactive community engagement in identifying flaws.


What implications did this vulnerability have and which components did it affect? Who noticed it? By "issue did not escalate" do we mean that it wasn't exploited on any of the networks?

k4m4 · 2025-01-15T12:43:00Z

src/chains/sui/Sui Report.md

+- **Formal Verification:** Facilitates rigorous testing and validation of smart contracts to minimize bugs.
+Testing and debugging mechanisms for Sui’s smart contracts include modular code organization, ownership rules, and structured data flow that allow developers to easily test and debug contracts. Developers are encouraged to employ local testing environments, implement explicit error-handling mechanisms, and regularly verify contracts using Move Prover. Recent updates to development tools also enhance debugging processes and streamline integration with Sui's broader ecosystem.
+
+However, historical incidents highlight the need for continuous vigilance:


Shall we add links to the relevant reports, where relevant? E.g., to the specific DoS vulnerability discovered by Beosin Alert and the "billion dollar bug" reported by Xellic?

k4m4 · 2025-01-15T12:44:07Z

src/chains/sui/Sui Report.md

+However, historical incidents highlight the need for continuous vigilance:
+- **November 17, 2023:** An unspecified vulnerability was discovered and promptly patched across the mainnet, testnet, and devnet. While the issue did not escalate, it underscores the importance of proactive community engagement in identifying flaws.
+- **September 3, 2023:** A denial-of-service (DoS) vulnerability in Sui’s P2P protocol was reported by Beosin Alert. The vulnerability, which could deplete memory and crash nodes, was resolved in version 1.6.3.
+- **May 16, 2023:** A critical "billion-dollar bug" was identified during an audit by Xellic. The issue, which had the potential to cause significant disruptions, was patched effectively.


What disruptions could it cause? Would it result in loss of user funds?

src/chains/sui/Sui Report.md

k4m4 · 2025-01-15T13:17:44Z

src/chains/sui/Sui Report.md

+SUI has engaged with [third-party auditors](https://sui.io/security), including Zellic, Halborn,Common Prefix, OtterSec, and others, which conducted multiple audits focusing on core components. Its worth noting that no further audits were made from April 2023.
+
+### 3.2 Risks and Concerns
+Recent incidents have also highlighted systemic risks. The November 2024 mainnet outage, caused by a critical bug in the consensus mechanism, disrupted transaction processing for over 24 hours. This incident exposed vulnerabilities in transaction ordering and underscored the need for robust disaster recovery mechanisms and better validator coordination. In addition, the lack of audits since April 2023 leaves the network vulnerable to undiscovered security flaws.


I feel like we can avoid some of the duplication from the previous section.

Also, again, not confident personally about the lack of audits statement here. Do we know that there aren't any ongoing audits, for instance?

src/chains/sui/Sui Report.md

k4m4 · 2025-01-15T13:25:00Z

src/chains/sui/Sui Report.md

+### 3.2 Risks and Concerns
+Recent incidents have also highlighted systemic risks. The November 2024 mainnet outage, caused by a critical bug in the consensus mechanism, disrupted transaction processing for over 24 hours. This incident exposed vulnerabilities in transaction ordering and underscored the need for robust disaster recovery mechanisms and better validator coordination. In addition, the lack of audits since April 2023 leaves the network vulnerable to undiscovered security flaws.
+
+Additional notable considerations for the Axelar community include the nuances of Sui's consensus mechanism and upgrade processes. The Narwhal and Tusk consensus mechanism used by Sui integrates a Directed Acyclic Graph (DAG)-based mempool with a Byzantine Fault Tolerant (BFT) protocol. This architecture is inspired by cutting-edge research but has seen limited external audits. While the foundational papers validating these approaches are rigorous, the specific implementations in Sui may include optimizations that require further review and validation.


Suggested change

Additional notable considerations for the Axelar community include the nuances of Sui's consensus mechanism and upgrade processes. The Narwhal and Tusk consensus mechanism used by Sui integrates a Directed Acyclic Graph (DAG)-based mempool with a Byzantine Fault Tolerant (BFT) protocol. This architecture is inspired by cutting-edge research but has seen limited external audits. While the foundational papers validating these approaches are rigorous, the specific implementations in Sui may include optimizations that require further review and validation.

Additional notable considerations for the Axelar community include the nuances of Sui's consensus mechanism and upgrade processes. The Narwhal and Tusk consensus mechanism used by Sui integrates a Directed Acyclic Graph (DAG)-based mempool with a Byzantine Fault Tolerant (BFT) protocol. This architecture is inspired by cutting-edge research but has seen limited external audits. While the foundational papers validating these approaches are rigorous, the specific implementations in Sui may include optimizations that require further review and validation.

Based on [the Mysticeti paper](https://arxiv.org/pdf/2310.14821), Sui's Mysticeti consensus protocol does not scale well beyond a few hundred validators. For example, in the paper, a "larger" deployment of the protocol refers to just 50 validators.

src/chains/sui/Sui Report.md

k4m4 · 2025-01-15T13:32:50Z

src/chains/sui/Sui Report.md

+### 4.2 Understanding of Deployment and Maintenance Plans
+Deployment scripts for Sui Axelar components are provided, and the process is well documented in the [Axelar repository](https://github.com/axelarnetwork/axelar-contract-deployments/tree/main/sui#sui-deployment-scripts). The code is well-structured, and [Ackee](https://ackee.xyz/) did not identify any best practices violations in the development scripts.
+
+### 4.3 Mitigation of Potential Risks


Has any monitoring and alerting system been developed to raise alarms if any suspicious activity occurs on the Sui<>Axelar connection?

k4m4 · 2025-01-15T13:34:49Z

src/chains/sui/Sui Report.md

+| **Ottersec 6/24**  |          |       | 1-1-0  | 3-3-0 | 3-3-0 |
+| **Ottersec 11/24** |          | 1-1-0 | 1-1-0  | 4-4-0 | 4-3-1 |
+
+No audit report for [Sui Amplifier](https://github.com/axelarnetwork/axelar-amplifier/tree/main/ampd/src/sui) code was provided.


I would expect the Sui Amplifier code to also include the Sui CosmWasm contracts (Sui Gateway, Sui Voting Verifier, and Sui Mulitisig Prover), but this seems to be linking only to the Sui external verifier ampd node. Where do the Sui CosmWasm contracts live and have those been audited?

src/chains/sui/Sui Report.md

Co-authored-by: Nikolaos Kamarinakis <[email protected]>

Co-authored-by: Štěpán Šonský <[email protected]>

Co-authored-by: Nikolaos Kamarinakis <[email protected]>

Co-authored-by: Štěpán Šonský <[email protected]>

Co-authored-by: Nikolaos Kamarinakis <[email protected]>

lspano-gif and others added 9 commits December 18, 2024 20:13

Create Sui Report.md

20311eb

Section 2 and 3 (Node.Monster) (#14)

54217b8

add section 4 (#15)

e996fe3

Co-authored-by: stepansonsky <[email protected]>

Update Sui Report.md

0d13216

Update Sui Report.md

4307e77

Update Sui Report.md

e8cc040

Update Sui Report.md

2786bbb

Update Sui Report.md

fb941fa

Update Sui Report.md

c846364

puhtaytow approved these changes Jan 11, 2025

View reviewed changes

k4m4 reviewed Jan 11, 2025

View reviewed changes