penumbra icon indicating copy to clipboard operation
penumbra copied to clipboard

Published 20 hours ago verified publisher icon penumbra-zone

dex: swap claim should check diversified address integrity

Open redshiftzero opened this issue 11 months ago • 0 comments

Is your feature request related to a problem? Please describe.

You should only be able to claim swap outputs once. Instead, an attacker can construct a valid SwapClaim multiple times for the same swap.

Iin the swap claim, we are demonstrating the integrity of the revealed nullifier via nullifier = hash3(nk, position, swap commitment). Elsewhere in the circuit we have the transmission key pk_d, and the diversified base B_d in order to demonstrate swap commitment integrity. However, pk_d and nk are not checked to be associated with one another, so an attacker can witness multiple values for nk in order to generate multiple nullifiers that will each be accepted as valid.

PoC: https://github.com/penumbra-zone/penumbra/commit/f21d8b512db5a3af2530cf8f833493e5c9500422

     Running `target/debug/pcli tx swap 1test_usd --into upenumbra`
Scanning blocks from last sync height 3025 to latest height 3025
[0s] ██████████████████████████████████████████████████       0/0       0/s ETA: 0s
building transaction...
finished proving in 13.828 seconds [3 actions, 3 proofs, 2373 bytes]
broadcasting transaction and awaiting confirmation...
transaction broadcast successfully: 3fbe3561656f9b8bd4394c077003b58a360aae9966edd15362e26196eadaee13
transaction confirmed and detected: 3fbe3561656f9b8bd4394c077003b58a360aae9966edd15362e26196eadaee13 @ height 3029
Swap submitted and batch confirmed!
You will receive outputs of 0test_usd and 49.999mpenumbra. Claiming now...
building transaction...
finished proving in 8.715 seconds [1 actions, 1 proofs, 570 bytes]
broadcasting transaction and awaiting confirmation...
transaction broadcast successfully: d8bc3575a646a5825a3e9ebcd17194076d07a9ebcb2c15b8ab280703be7570c2
transaction confirmed and detected: d8bc3575a646a5825a3e9ebcd17194076d07a9ebcb2c15b8ab280703be7570c2
PoC: claiming swap outputs again
building transaction...
finished proving in 7.258 seconds [1 actions, 1 proofs, 570 bytes]
broadcasting transaction and awaiting confirmation...
transaction broadcast successfully: 159b7294bf3dc7629e42659d5ca29277d27f7865d9d54af615f72966c8994c70
transaction confirmed and detected: 159b7294bf3dc7629e42659d5ca29277d27f7865d9d54af615f72966c8994c70

Describe the solution you'd like

  1. Witness ak
  2. Using 1 and the existing variables in circuit for pk_d and nk, check pk_d = [ivk] B_d deriving the ivk from ak and nk
  3. Check diversified base B_d is not identity

redshiftzero avatar Mar 08 '24 04:03 redshiftzero