starknet.js icon indicating copy to clipboard operation
starknet.js copied to clipboard

Published 20 hours ago verified publisher icon starknet-io

Remove dangerous dependencies

Open paulmillr opened this issue 3 years ago • 11 comments
trafficstars

Current dep list is:

    "@ethersproject/bytes": "^5.6.1",
    "bn.js": "^5.2.1",
    "cross-fetch": "^3.1.5",
    "elliptic": "^6.5.4",
    "ethereum-cryptography": "^1.0.3",
    "hash.js": "^1.1.7",
    "json-bigint": "^1.0.0",
    "minimalistic-assert": "^1.0.1",
    "pako": "^2.0.4",
    "ts-custom-error": "^3.2.0",
    "url-join": "^4.0.1"

You're depending on ethereum-cryptography, which contains audited versions of secp256k1, all sorts of hashes (sha2, sha3...); e-c also doesn't use bn.js, instead, it uses native bigints.

So, I strongly suggest to remove bn.js, elliptic, hash.js — it would reduce your bundle size by a huge amount; and improve security drastically. Elliptic had 2 CVEs in 2020. Instead of them, you can simply use ethereum-cryptography stuff.

paulmillr avatar Jul 13 '22 20:07 paulmillr

hey @paulmillr ! Do you think you'll have time to work on that?

janek26 avatar Jul 14 '22 13:07 janek26

is it possible to replace elliptic with ethereum-cryptography given that we're on a different curve?

janek26 avatar Jul 15 '22 18:07 janek26

@janek26 I could work on this. Do you have any budget allocations, or grants?

Are you using nist p256?

paulmillr avatar Jul 15 '22 22:07 paulmillr

we have no budget at all atm :( The project so far is just a community effort

You can find all of the ec logic here: https://github.com/0xs34n/starknet.js/blob/develop/src/utils/ellipticCurve.ts#L10

janek26 avatar Jul 16 '22 12:07 janek26

Regarding native BigInt, according to: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt

The operations supported on BigInt values are not constant-time, and are thus open to timing attacks. JavaScript BigInts are therefore not well-suited for use in cryptography.

Any thoughts on this?

tabaktoni avatar Jul 19 '22 09:07 tabaktoni

https://github.com/mdn/content/issues/18494

paulmillr avatar Jul 19 '22 11:07 paulmillr

thanks for your efforts @paulmillr ! So I think it‘s save to assume native bigints are more secure than any external (JS) library doing the same thing

janek26 avatar Jul 19 '22 12:07 janek26

Hey @paulmillr , we'll get some grants for a couple of issues from StarkWare 🎉 Are you still interested working on this?

janek26 avatar Aug 02 '22 09:08 janek26

Yes.

paulmillr avatar Aug 02 '22 09:08 paulmillr

@paulmillr hi! Here you can apply for contribution, to get compensation, through this portal: https://app.onlydust.xyz/contributions/7d2d8fa6-a35c-4797-a531-9c1b7f406686

ivpavici avatar Aug 04 '22 14:08 ivpavici

This Issue is Assigned to @katsumotoeth but there seems like no activity around it. Can we reassign it to @paulmillr true only dust?

tabaktoni avatar Sep 23 '22 13:09 tabaktoni

Related ~~https://github.com/paulmillr/micro-starknet~~ https://github.com/paulmillr/noble-curves

ivpavici avatar Nov 21 '22 15:11 ivpavici

Left to replace:

"@ethersproject/bytes": "^5.6.1",
"ethereum-cryptography": "^1.0.3",
"json-bigint": "^1.0.0",
"minimalistic-assert": "^1.0.1",
"pako": "^2.0.4",
"ts-custom-error": "^3.2.0",
"url-join": "^4.0.1"

tabaktoni avatar Feb 22 '23 17:02 tabaktoni

Related Issue Reimplement json-bigint #52

tabaktoni avatar Feb 22 '23 18:02 tabaktoni