burner-wallet icon indicating copy to clipboard operation
burner-wallet copied to clipboard

Published 20 hours ago β€’ verified publisher icon austintgriffith

Include chain id in signed data

Open mohoff opened this issue 6 years ago β€’ 4 comments

Hi, others have been mentioning that a nonce is need to prevent replay attacks. However, I think a nonce might not be enough if burner wallets exist on mainnet and testnets. Even with a nonce, a replay attack is possible when a claim (happened on testnet) is replayed on mainnet. This assumes that the other fields are identical as well, which is possible IMO.

A workaround, in case my concern is valid, is to add another net-unique constant, e.g. the chain id, to the signed data.

Curious to hear if others share that opinion

mohoff avatar Nov 21 '18 23:11 mohoff

Good idea!! It is another security parameter. It is possible to replay between networks. I think that using the contract address could mitigate this issue. But it is also possible to deploy the contract on the same address in different networks. So I think it is good to add it.

riusricardo avatar Nov 22 '18 01:11 riusricardo

I agree this is a good idea. I'm not sure what chain id to use for POA's xdai though. Is this just the chain id or is it something special in the r s v ?

austintgriffith avatar Nov 27 '18 00:11 austintgriffith

I'm also not sure, never worked with POA/xDai before. My guess is just the chain id.

mohoff avatar Nov 29 '18 11:11 mohoff

https://dai.poa.network -> 100 https://core.poa.network -> 99 https://sokol.poa.network -> 77

It can be done quite easy in the smart contract. We should add a new variable initialized with the constructor and include it in the signed hash. Every time the contract is deployed into a network, the chain id needs to be specified.

riusricardo avatar Nov 29 '18 17:11 riusricardo