Sign snapshots including the initial UTxO set

[ch1bo]

Why

Users would like to have their funds not be locked up and be inaccessible, even if a rollback past the "opening" happens.

When a Head is open and snapshots have been signed, but then a collectCom and one or more commit transactions were rolled back, a bad actor could choose to commit a different UTxO and open the Head with a different initial UTxO set, while the already signed snapshots would still be (cryptographically) valid. This is problematic as the old snapshots would still be valid to close the head with a not agreed or even invalid (= not fanoutable) UTxO set.

To mitigate this, all signatures on snapshots need to incorporate the initial UTxO set by including η0.

What

• Replays of snapshots are prevented
• Specifically this scenario is avoided:
  • Open a head with two commits
  • Do some transactions, such that a snapshot S1 is created
  • Rollback the collectCom and one of the commit transactions
  • Redo (by adversary) the commit transaction with a different UTxO
  • Redo (by adversary) the collectCom transaction
  • Closing the head with snapshot S1 should not be possible, but right now it would
  • Fanout will be impossible as the UTxO to fanout is not in the Head

How

• Signing a snapshot should incorporate
  • its snapshot number,
  • its utxo hash
  • the original utxo hash (η0 a.k.a. H(U0))
• Keep the η0 around in the datum to be able to check the signature on-chain
• For writing an acceptance test, we need a test suite which can instrument rollbacks, but also see a transaction be invalid because the close validator does not accept the old signature

Context

https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:L/AC:H/Au:M/C:N/I:P/A:C/E:U/RL:ND/RC:ND/CDP:L/TD:L/CR:ND/IR:ND/AR:ND)