You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
zkApp guards some high-stakes action (like, paying out funds / voting) by requiring a signature from authorized users as input, and verify that signature. It will verify that
the public key on the signature matches the authorized user (which could be encoded in various ways, like hard-coded constant, on-chain state, leaf of a Merkle tree,...)
the signed message specifies the respective action
Two problems:
Signatures are deterministically derived from the message
and don't distinguish between different networks
So if you create a signature for a high-stakes action, and send it to me to include in a proof, that means I use it any number of times as proof input. For example, if your signature authorizes me to withdraw amount X to address Y, I could withdraw X to Y an infinite number of times.
In the case you have the same account address on testnet / mainnet, then your testnet signature could even be used to withdraw real mainnet funds.
Should we build in automatic defense against cases like that?
Ideas:
@ replay on different network:
automatically include the network type in the signature, and also hard-code it into every smart contract, such that our tooling (zk deploy) sets the right constant when deploying to either network
tag generated private keys with the network type, so that wallets can reject it if you want to restore a wallet for the wrong network
@ replay on the same network:
provide an interface that makes it easy for wallets to pass in the user's account nonce as an argument which becomes part of the message, plus an interface in snarkyjs that makes the circuit compare that nonce to the signer's account nonce and do a nonce increment on that account
The text was updated successfully, but these errors were encountered:
Attack scenario:
zkApp guards some high-stakes action (like, paying out funds / voting) by requiring a signature from authorized users as input, and verify that signature. It will verify that
Two problems:
So if you create a signature for a high-stakes action, and send it to me to include in a proof, that means I use it any number of times as proof input. For example, if your signature authorizes me to withdraw amount X to address Y, I could withdraw X to Y an infinite number of times.
In the case you have the same account address on testnet / mainnet, then your testnet signature could even be used to withdraw real mainnet funds.
Should we build in automatic defense against cases like that?
Ideas:
@ replay on different network:
@ replay on the same network:
The text was updated successfully, but these errors were encountered: