Build in replay protection for userland signatures?

[mitschabaude]

Attack scenario:

zkApp guards some high-stakes action (like, paying out funds / voting) by requiring a signature from authorized users as input, and verify that signature. It will verify that

• the public key on the signature matches the authorized user (which could be encoded in various ways, like hard-coded constant, on-chain state, leaf of a Merkle tree,...)
• the signed message specifies the respective action

Two problems:

• Signatures are deterministically derived from the message
• and don't distinguish between different networks

So if you create a signature for a high-stakes action, and send it to me to include in a proof, that means I use it any number of times as proof input. For example, if your signature authorizes me to withdraw amount X to address Y, I could withdraw X to Y an infinite number of times.

In the case you have the same account address on testnet / mainnet, then your testnet signature could even be used to withdraw real mainnet funds.

Should we build in automatic defense against cases like that?

Ideas:

@ replay on different network:

• automatically include the network type in the signature, and also hard-code it into every smart contract, such that our tooling (zk deploy) sets the right constant when deploying to either network
• tag generated private keys with the network type, so that wallets can reject it if you want to restore a wallet for the wrong network

@ replay on the same network:

• provide an interface that makes it easy for wallets to pass in the user's account nonce as an argument which becomes part of the message, plus an interface in snarkyjs that makes the circuit compare that nonce to the signer's account nonce and do a nonce increment on that account