plasma-contracts icon indicating copy to clipboard operation
plasma-contracts copied to clipboard
verified publisher icon omgnetwork

Use tx to derive exit id instead of passing exit id directly

Open thec00n opened this issue 5 years ago • 1 comments

Issue Type

[ x ] bug report
[ ] feature request

Current Behavior

Currently when challenging a standard exit it is required to pass in an exit id. This increases attack surface on the challenge standard exit function as malicious users can pass in arbitrary exit ids to the function that do not relate to the exiting tx.

https://github.com/omisego/plasma-contracts/blob/7c3f79631ec0657b96cdd2077b0f52b2ec292261/plasma_framework/contracts/src/exits/payment/controllers/PaymentChallengeStandardExit.sol#L84.

Expected Behavior

Generate the exit id based on the exiting tx with getStandardExitId and remove the exit id as a function parameter.

thec00n avatar Feb 25 '20 06:02 thec00n

On the other hand, due to our sadly despot tx bytes not unique issue, the exitId relies on utxoPos for deposit tx while not needed for normal tx. In other words, for normal tx we can ask user to pass in utxoPos but it will be useless. This create another attacking surface as well.

boolafish avatar Jun 11 '20 08:06 boolafish