Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@agoric/cosmos
Advanced tools
This module manages the integration between the Cosmos x/bank module and the VM.
"Bank purses" connect Cosmos-level bank module accounts with Agoric-level ERTP purses and payments. A "bank purse" is created at the ERTP level which be observed and manipulated as other purses, but modifications to it are sent over the bridge to act upon the bank account. Updates to the bank account balance are sent over the bridge to update the bank purse, whose balance can be queried entirely at the ERTP level.
feeCollectorName
: the module which handles fee distribution to stakers.reward_epoch_duration_blocks
: the duration (in blocks) over which fees should be given to the fee collector.The Vbank module maintains no significant state, but will access stored state through the bank module.
Purse operations which change the balance result in a downcall to this module to update the underlying account. A downcall is also made to query the account balance.
Upon an EndBlock()
call, the module will scan the block for all MsgSend
and MsgMultiSend
events (see cosmos-sdk/x/bank/spec/04_events.md
) and perform a VBANK_BALANCE_UPDATE
upcall for all denominations held in only the mentioned module accounts.
The following fields are common to the Vbank messages:
"address"
, "recipient"
, "sender"
: account address as a bech32-encoded string"amount"
: either amount to transfer or account balance, as an integer string"denom"
: denomination as a string"nonce"
: unique integer, as a number"type"
: string of the type of message (enumerated below)"updated"
: list of objects with the fields "address"
, "denom"
, "amount"
.Downcalls from JS to Cosmos (by type
):
VBANK_GET_BALANCE (type, address, denom)
: gets the account balance in the given denomination from the bank. Returns the amount as a string.VBANK_GIVE (type, recipeient, denom, amount)
: adds amount of denomination to account balance to reflect a deposit to the virtual purse. Returns a VBANK_BALANCE_UPDATE
message restricted to the recipient account and denomination.VBANK_GIVE_TO_FEE_COLLECTOR (type, denom, amount)
: stores rewards which will be gradually sent to the fee collectorVBANK_GRAB (type, sender, denom, amount)
: burns amount of denomination from account balance to reflect withdrawal from virtual purse. Returns a VBANK_BALANCE_UPDATE
message restricted to the sender account and denomination.Upcalls from Cosmos to JS: (by type
)
VBANK_BALANCE_UPDATE (type, nonce, updated)
: inform virtual purse of change to the account balance (including a change initiated by VBANK_GRAB or VBANK_GIVE).Test the following transfer scenarios:
The initial BLD and IST purses are bank purses, but newly-created purses will not be bank purses by default.
To use Cosmos governance to change the reward_epoch_duration_blocks
value:
$ agd query vbank params
reward_epoch_duration_blocks: "720"
$ cat <<EOF > epoch-duration-proposal.json
{
"title": "Vbank param-change test",
"description": "Decrease the fee disbursal epoch parameter to 30 blocks.",
"changes": [
{
"subspace": "vbank",
"key": "reward_epoch_duration_blocks",
"value": "30"
}
],
"deposit": "1000000ubld"
}
EOF
$ agd tx gov submit-proposal param-change epoch-duration-proposal.json --from=mykey --chain-id=agoric
# Then vote on the proposal.
$ agd tx vote ...
# After passing,
$ agd query vbank params
reward_epoch_duration_blocks: "30"
$
FAQs
Connect JS to the Cosmos blockchain SDK
The npm package @agoric/cosmos receives a total of 1,579 weekly downloads. As such, @agoric/cosmos popularity was classified as popular.
We found that @agoric/cosmos demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.