Corda Data Tampering Issue

6
votes

Background: We learned that corda is not tamper-proof but tamper-evident. So, if one of the node manipulated a state directly in the database, other nodes will be able to detect and flag it if that state was used in subsequent transactions. However, our test results were not as per our expectation. Corda did not flag the state that was tampered and in fact it recorded the new state with tampered data in all participant nodes.

Prerequisites: Comment Out Contract Validations: We commented contract code to check if the data tampering is detected in Corda without the check being explicitly done at command level.

Steps to replicate:

  1. Start obligation Cordapp.

  2. Create 3 obligations between Party A and Party B (100 THB, 256 THB and 100 THB) Obligations

  3. Edit the VAULT_STATES table in the database of Party B, by looking at the differences between the hexs. Vault State Hexs Obligations with different amount is on the left and the two obligations with the same amount is on the right. From the editor when they are at same amount there are 2 differences (presumably linear-id & timestamp related) and when they are at different amount the 3rd discrepancy is showed on the left.

  4. Overwrite the specific portion with the lower value amount, update vault using SQL on Party B’s vault:

h2 Update

  1. After this update, check Party B’s vault and the amounts are changed to 100 THB on all 3 obligations. edited balance

  2. However, Party A’s vault will show original amounts (100, 256, 100) as the data was not tampered in Party A’s vault. Party A Balance

  3. Transfer ALL obligations from Party B to Party C

  4. Transfer obligations result: Party B have no more obligations Party B Obligations

  5. Transfer obligations result: Party C will get all Party B’s Obligations (100 THB for all, i.e. tampered data was passed on to the new party) Transferred Obligations

  6. Transfer obligations result: Party A’s vault will also be updated with tampered data. It couldn’t identify or flag tampered data. Final Result

How to get Corda participant nodes to detect tampered states? have i missed some config while setting up the node?

1
corda
I have read through your entire exposé twice, but still haven't discovered a question.Robby Cornelissen
Question is, how to get Corda participant nodes to detect tampered states?Rickky13
Just to let you know that we are looking at this with quite some interest here at r3 but it's the beginning of the holiday season so don't expect a detailed response just yet.Richard Green

1 Answers

5
votes

I'm afraid this discussion may take a while because most of us are off on holiday from this afternoon.

We'll have a go at replicating what you did here. However it's not clear to me that this is a bug.

You say you commented out the contract validation logic. It sounds like what may have happened is this:

  1. Edit the states table to hold a corrupted state.
  2. Build a transaction with INPUT=pointer to previous correct state. OUTPUT=(corrupted state)+edit to hold new owner field.
  3. This transaction is now signed and transferred.

This transaction would have been considered invalid and rejected when the transfer to Party C is attempted, because it'd be an illegal state transition: the numbers do not balance. But you commented out the code that checks for that! So nothing anywhere is saying you aren't allowed to simply change the size of an obligation whenever you like ... Corda doesn't know that implicitly if you comment out the code that contains this knowledge. Thus from the IOU app's perspective changing the size as you transfer it is now a perfectly legitimate thing to do.

Here's the question - if you leave the app alone and don't modify its source code, is the tampering detected? If the answer is still "no" then we have some more investigation to do.