Ensure that the delegation signature can't be used as a transaction signature #474

New Issue

Closed

opened 2023-07-24 21:14:21 +09:00 by davidyuk · 1 comment

davidyuk commented 2023-07-24 21:14:21 +09:00 (Migrated from gitlab.com)

Copy Link

Copy Source

While doing typed data signing in SDK we added a magic number to distinguish its payload from anything else, but I found no such magic number in delegation signature signing.

Most delegation signatures look safe because they include the account address in the payload, except for delegation signature to respond to oracle query. As I understand it is generated as sign(network id + contract address + oracle query id). Without proper validation on the signer side, a malicious actor can get a signature of network id + arbitrary 64 bytes.

Transaction signature can be generated as sign(network id + encoded transaction). The length of the encoded transaction can be increased by adjusting payload, gasLimit fields without behavior changing. So, using a method to sign delegation signature is theoretically possible to generate a transaction signature by crafting a transaction of 64 bytes and splitting it into two pieces ("contract address", "oracle query id").

I didn't spend enough time to find a meaningful example, the closest one is

tx_+D4qAaEBhAyXS5cWR3ZFS6EZ2E7cTWBYqN7JK27cV4qy0wtMQgCCAtOAgwcAA4ZFYFJNsAAAAACBgIQ7msoAgHSE2aw=

it is a 64-byte long ContractCreateTx with empty bytecodes, so it can't be mined.

To protect from attracts like this I suggest adding a mark to ensure that these sign payloads won't overlap. It may be a 0x1a01 prefix in the fashion of https://github.com/aeternity/aepp-sdk-js/pull/1843

While doing typed data signing in SDK we [added a magic number](https://github.com/aeternity/aepp-sdk-js/pull/1843#pullrequestreview-1485132217) to distinguish its payload from anything else, but I found no such magic number in delegation signature signing. Most [delegation signatures](https://docs.aeternity.com/aesophia/v7.2.1/sophia_features/#delegation-signature) look safe because they include the account address in the payload, except for [delegation signature to respond to oracle query](https://github.com/aeternity/aepp-sophia-examples/blob/7798fe789812a74e0afbd4125a81be8468fd5555/test/oracleDelegation.js#L68). As I understand it is generated as `sign(network id + contract address + oracle query id)`. Without proper validation on the signer side, a malicious actor can get a signature of `network id + arbitrary 64 bytes`. Transaction signature can be generated as `sign(network id + encoded transaction)`. The length of the encoded transaction can be increased by adjusting `payload`, `gasLimit` fields without behavior changing. So, using a method to sign delegation signature is theoretically possible to generate a transaction signature by crafting a transaction of 64 bytes and splitting it into two pieces ("contract address", "oracle query id"). I didn't spend enough time to find a meaningful example, the closest one is ``` tx_+D4qAaEBhAyXS5cWR3ZFS6EZ2E7cTWBYqN7JK27cV4qy0wtMQgCCAtOAgwcAA4ZFYFJNsAAAAACBgIQ7msoAgHSE2aw= ``` it is a 64-byte long ContractCreateTx with empty bytecodes, so it can't be mined. To protect from attracts like this I suggest adding a mark to ensure that these sign payloads won't overlap. It may be a 0x1a01 prefix in the fashion of https://github.com/aeternity/aepp-sdk-js/pull/1843

zxq9 commented 2023-08-03 17:40:38 +09:00 (Migrated from gitlab.com)

Copy Link

Copy Source

Created by: hanssv

Good observation!

Though used in Sophia the delegation signatures are just signatures for the sake of the compiler - could you please point this to aeternity repo?

*Created by: hanssv* Good observation! Though used in Sophia the delegation signatures are just signatures for the sake of the compiler - could you please point this to `aeternity` repo?

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

prh-docs-fix

uw-mldsa-crypto

uw-rename-fix-deps

bump_gmserialization

zomp

ceres

gh-pages

gh-485

dependabot/pip/dot-github/workflows/pygments-2.15.0

old_ceres

ghallak/split-typechecker

gh-400

new_ceres

loop-op

type-env

ghallak/229

option-force-msg

6.0.2

lima

call-fee

fix-ets

mergesort

lima-master-merge

optionally_generate_aci

changelog-update

make-return-reserved-word

radrow-patch-2

aens-subdomains

aens-at-full-node-ver

pt-166866806-claim-with-name-fee

extend-aci-interface

generalized_accounts_no_abi_move

roma

quickcheck-ci

v7.5.0

v7.4.0

v7.3.0

v7.2.1

v7.2.0

v7.1.0

v7.0.1

v7.0.0

v6.1.0

v6.0.2

v6.0.1

v6.0.0

v5.0.0

v4.3.0

v4.2.0

v4.1.0

v4.1.0-rc1

v4.0.0

v4.0.0-rc5

v4.0.0-rc4

v4.0.0-rc3

v4.0.0-rc1

v3.2.0

v3.1.0

v3.0.0

v2.1.0

v2.0.0

roma-v1

v2

Labels

Clear labels

WIP

bug

consensus-breaking

dependencies

documentation

duplicate

effort: high

effort: low

effort: medium

effort: trivial

enhancement

good first issue

help wanted

invalid

maintenance

question

task/feature

todo-in-rewrite

wontfix

bug

Something is not working

duplicate

This issue or pull request already exists

enhancement

New feature

help wanted

Need some help

invalid

Something is wrong

pig lipstick

Muggle-facing enhancements

question

More information is needed

wontfix

This won't be fixed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Dagadunn Pickmick dimitar.p.ivanov flambard (Markus Flambard) gchewy hans_sv pharpend spivee (Jarvis Carroll) thescientress (Cecille de Jesus) uwiger (Ulf Wiger) zxq9 (Craig Everett)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: QPQ-AG/sophia#474