This is the outcome of a recent discussion with @kckyeung about XCM, reserve location, and its security.
First, I will rephrase the situation at hand, to the best of my knowledge. I am fairly new to this, so please correct me if I am wrong.
As I learned, most chains use themselves as the reserve location for their own token, not statemint and statemine. That is, chain A
puts some aToken
into a sovereign account of chain B
, and B
can mint the equivalent on aToken
on its side. We can assume that parachains that establish this trust among one another audit and trust each others’ runtime.
The problem with this however, is that if the state transition of A
gets compromised in any way, it will have full control over these funds. This can happen either through uploading a faulty WASM blob (which can itself happen through multitude of events) or through some kind of governance attack, such as what happened recently to Mangata.
I recall that the idea with statemint and statemine was to act as the trusted reserve location, mainly to prevent such events. So, if chain A
would go down, the assets would remain safe in statemint/mine. Although, recently I realized, if these chains control the assets that they use as reserve on statemint/mine as well, it does not help, because the rogue chain A
could also send an XCM to manipulate the asset. In this case, using statemine/mint at best makes the attack “more complicated”, and no less infeasible.
Having come to this conclusion, it became clear to me that using statemint/mine, in itself, will not prevent such attacks. But, further down the road, we discussed how one can protect against these attacks. One interesting idea here is to have some kind of middleware that sits between XCM and balance/assets (e.g. AssetsAdapter
) prevent malicious activities, based on some pre-defined rules and heuristics.
For example, a sovereign account that is acting as reserve should not be drained with a rate more than X
, and certainly all at once. It is, in my opinion, well worth it to make these attacks significantly less feasible, at the cost of preventing some XCM transfers in rare occasions. More ideas like these safeguards are discussed in this episode of the unchained podcast about the Nomad hack.
As a first step, we can think of a few safeguards like this, and hopefully put them in all chains that act as reserve for one another. And them, only then, I think there is a clear advantage in using statemint/mine, which is that even if a chain goes badly rogue, it could technically wipe out these safeguards from its own runtime, but it cannot wipe them out from statemint/mine.