dApp connector removes inputs of the signed transaction

[anon-real]

dApp connector removes some inputs when signing the transaction. Example:
Unsigned transaction (input to sign_tx):

{
  "id": "7af39f14f0989c2f52047d9186388d39cd7410f972f304f3e8c1600a6d693dfc",
  "inputs": [
    {
      "boxId": "ca6158991dda9b9ff0eb277ba196d14b20292ceec9e80e3ffd3463bb3a004898",
      "value": 100000000,
      "ergoTree": "10100400040204000400041e04280101040004040400040204000e2035f2a7b17800bd28e0592559bccbaa65a46d90d592064eb98db0193914abb563040004000580b6dc05d805d601e4c6a70504d602c1a7d603e4c6a70605d604e4c6a7080ed605e4c6a7040ed1958fa37201d802d606b2a5730000d607b2a5730100edededededededededed93b2db63087206730200b2db6308a773030093c27206c2a792c172069a7202720393c27207720492c17207720293e4c67206040e720593e4c6720605049590997201a373049a72017305720193e4c672060605720393c67206090ec6a7090e93c67206070ec6a7070e7306d805d606b2db6501fe730700d607b2a5730800d6089d72027ee4c67206040405d609b2a5730900d60ab2a5730a00edededededed938cb2db63087206730b0001730c92c17207720893c27207e4c67206050e93b2db63087209730d00b2db6308a7730e0093c27209720492c1720a999972027208730f93c2720a7205",
      "assets": [
        {
          "tokenId": "21da34c99ee28ee79339b1c3e0337e730dcea5c2cce1b4918b8e1a1b86723a32",
          "amount": 1
        }
      ],
      "additionalRegisters": {
        "R5": "04fad849",
        "R7": "0e1754657374696e67206461707020636f6e6e6563746f7221",
        "R9": "0e1a3130303030303030302c3130303030303030302c353033373034",
        "R4": "0e240008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
        "R6": "058084af5f",
        "R8": "0e240008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e"
      },
      "creationHeight": 503704,
      "transactionId": "91db83ec0949e931c8c509614adc20ccc9453f032b199ced5c09326ad46f02ba",
      "index": 0,
      "extension": {}
    },
    {
      "boxId": "30628cfbd2bf3f60b22a3f77db8d1dc33a1c79e20f28def9cf6c190c1d70bd43",
      "value": 886900000,
      "ergoTree": "0008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
      "assets": [],
      "creationHeight": 503702,
      "additionalRegisters": {},
      "transactionId": "3cf10c396d357a446c68278712a512162dc0029f1b664c434d231426275e6e9d",
      "index": 1,
      "extension": {}
    }
  ],
  "dataInputs": [
    {
      "boxId": "40651a7a0a123ee131a2a9133d86d475a66d3eb20f4e988e97fa03c8eceab4f2"
    }
  ],
  "outputs": [
    {
      "boxId": "ac2368eb6bb00b4ad814ec891a5caf857ad91befd6784baf690e3be411df3394",
      "value": 200000000,
      "ergoTree": "10100400040204000400041e04280101040004040400040204000e2035f2a7b17800bd28e0592559bccbaa65a46d90d592064eb98db0193914abb563040004000580b6dc05d805d601e4c6a70504d602c1a7d603e4c6a70605d604e4c6a7080ed605e4c6a7040ed1958fa37201d802d606b2a5730000d607b2a5730100edededededededededed93b2db63087206730200b2db6308a773030093c27206c2a792c172069a7202720393c27207720492c17207720293e4c67206040e720593e4c6720605049590997201a373049a72017305720193e4c672060605720393c67206090ec6a7090e93c67206070ec6a7070e7306d805d606b2db6501fe730700d607b2a5730800d6089d72027ee4c67206040405d609b2a5730900d60ab2a5730a00edededededed938cb2db63087206730b0001730c92c17207720893c27207e4c67206050e93b2db63087209730d00b2db6308a7730e0093c27209720492c1720a999972027208730f93c2720a7205",
      "assets": [
        {
          "tokenId": "21da34c99ee28ee79339b1c3e0337e730dcea5c2cce1b4918b8e1a1b86723a32",
          "amount": 1
        }
      ],
      "additionalRegisters": {
        "R7": "0e1754657374696e67206461707020636f6e6e6563746f7221",
        "R4": "0e240008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
        "R6": "058084af5f",
        "R8": "0e240008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
        "R5": "04fad849",
        "R9": "0e1a3130303030303030302c3130303030303030302c353033373034"
      },
      "creationHeight": 503706,
      "transactionId": "7af39f14f0989c2f52047d9186388d39cd7410f972f304f3e8c1600a6d693dfc",
      "index": 0
    },
    {
      "boxId": "f70427ec9fa55d2f512715e438db3c7bf8b8e29512b5dbf41c5d35b1851adad4",
      "value": 100000000,
      "ergoTree": "0008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
      "assets": [],
      "additionalRegisters": {},
      "creationHeight": 503706,
      "transactionId": "7af39f14f0989c2f52047d9186388d39cd7410f972f304f3e8c1600a6d693dfc",
      "index": 1
    },
    {
      "boxId": "f99654a630e7e40b69e06db9251337e06662a82e383ffce3036933c555d76e9a",
      "value": 684900000,
      "ergoTree": "0008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
      "assets": [],
      "additionalRegisters": {},
      "creationHeight": 503706,
      "transactionId": "7af39f14f0989c2f52047d9186388d39cd7410f972f304f3e8c1600a6d693dfc",
      "index": 2
    },
    {
      "boxId": "29d54677246dce7bfcb8733fba606bd37abbeb0503ecb1135b923e69d31fbe7a",
      "value": 2000000,
      "ergoTree": "1005040004000e36100204a00b08cd0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798ea02d192a39a8cc7a701730073011001020402d19683030193a38cc7b2a57300000193c2b2a57301007473027303830108cdeeac93b1a57304",
      "assets": [],
      "additionalRegisters": {},
      "creationHeight": 503706,
      "transactionId": "7af39f14f0989c2f52047d9186388d39cd7410f972f304f3e8c1600a6d693dfc",
      "index": 3
    }
  ]
}

Signed transaction:

{
  "id": "429026121fce1921c3ebe9da6f657ffaa33a61c6e54478aa7115e683cdb02a63",
  "inputs": [
    {
      "boxId": "ca6158991dda9b9ff0eb277ba196d14b20292ceec9e80e3ffd3463bb3a004898",
      "spendingProof": {
        "proofBytes": "f6dcd180f2d0821b4e17fe3a49dcd2c7384beccecde8a2150925d1c86aecb3d78c72818a92fb3c4d86bd70fa050e691c5c6d18f3e7ce0907",
        "extension": {}
      }
    }
  ],
  "dataInputs": [
    {
      "boxId": "40651a7a0a123ee131a2a9133d86d475a66d3eb20f4e988e97fa03c8eceab4f2"
    }
  ],
  "outputs": [
    {
      "boxId": "24936e98457105d9f58b7c11a6052e05adf27ea4c475282b1b55622ad06f7f3d",
      "value": 200000000,
      "ergoTree": "10100400040204000400041e04280101040004040400040204000e2035f2a7b17800bd28e0592559bccbaa65a46d90d592064eb98db0193914abb563040004000580b6dc05d805d601e4c6a70504d602c1a7d603e4c6a70605d604e4c6a7080ed605e4c6a7040ed1958fa37201d802d606b2a5730000d607b2a5730100edededededededededed93b2db63087206730200b2db6308a773030093c27206c2a792c172069a7202720393c27207720492c17207720293e4c67206040e720593e4c6720605049590997201a373049a72017305720193e4c672060605720393c67206090ec6a7090e93c67206070ec6a7070e7306d805d606b2db6501fe730700d607b2a5730800d6089d72027ee4c67206040405d609b2a5730900d60ab2a5730a00edededededed938cb2db63087206730b0001730c92c17207720893c27207e4c67206050e93b2db63087209730d00b2db6308a7730e0093c27209720492c1720a999972027208730f93c2720a7205",
      "assets": [
        {
          "tokenId": "21da34c99ee28ee79339b1c3e0337e730dcea5c2cce1b4918b8e1a1b86723a32",
          "amount": 1
        }
      ],
      "additionalRegisters": {
        "R4": "0e240008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
        "R8": "0e240008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
        "R9": "0e1a3130303030303030302c3130303030303030302c353033373034",
        "R5": "04fad849",
        "R7": "0e1754657374696e67206461707020636f6e6e6563746f7221",
        "R6": "058084af5f"
      },
      "creationHeight": 503706,
      "transactionId": "429026121fce1921c3ebe9da6f657ffaa33a61c6e54478aa7115e683cdb02a63",
      "index": 0
    },
    {
      "boxId": "edc013c32784cc72df0fa535135d1a84dc4990e0b1553e57aba8d6b5f7a0439f",
      "value": 100000000,
      "ergoTree": "0008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
      "assets": [],
      "additionalRegisters": {},
      "creationHeight": 503706,
      "transactionId": "429026121fce1921c3ebe9da6f657ffaa33a61c6e54478aa7115e683cdb02a63",
      "index": 1
    },
    {
      "boxId": "5f0e2795ff35947da3d3dadcf4cb30489b65ae22ef288ff71aed5950ae7d8681",
      "value": 684900000,
      "ergoTree": "0008cd03d2e31086f59ab82d2085fafab9504921946744c5a9606d1ed8b7b4d7895f976e",
      "assets": [],
      "additionalRegisters": {},
      "creationHeight": 503706,
      "transactionId": "429026121fce1921c3ebe9da6f657ffaa33a61c6e54478aa7115e683cdb02a63",
      "index": 2
    },
    {
      "boxId": "64770e13f466e8000756801d8cd8b4d09ca4461f72bd1646519636e63900fd07",
      "value": 2000000,
      "ergoTree": "1005040004000e36100204a00b08cd0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798ea02d192a39a8cc7a701730073011001020402d19683030193a38cc7b2a57300000193c2b2a57301007473027303830108cdeeac93b1a57304",
      "assets": [],
      "additionalRegisters": {},
      "creationHeight": 503706,
      "transactionId": "429026121fce1921c3ebe9da6f657ffaa33a61c6e54478aa7115e683cdb02a63",
      "index": 3
    }
  ]
}

As you can see, one of the inputs has been removed from the signed transaction causing the tx to be invalid.

[anon-real]

@rooooooooob Please also check this out.
Thanks!

[rooooooooob]

Thanks for the bug report @anon-real. What version/(or commit if it's a dev version) are you using? I'm going to need some help on how to reproduce it. Correct me if I'm wrong, but the input that is disappearing is a regular P2Pk address with no assets? (30628cfbd2bf3f60b22a3f77db8d1dc33a1c79e20f28def9cf6c190c1d70bd43) while the one that stays (ca6158991dda9b9ff0eb277ba196d14b20292ceec9e80e3ffd3463bb3a004898) is P2S?

In terms of trying to reproduce it, can I take that ca6158991dda9b9ff0eb277ba196d14b20292ceec9e80e3ffd3463bb3a004898 box and attach any input to it, or does it require specifics?

[anon-real]

@rooooooooob I am using the latest versions of Yoroi nighty and dapp connector from the google store.
Yes, you are right. 30628cfbd2bf3f60b22a3f77db8d1dc33a1c79e20f28def9cf6c190c1d70bd43 is a P2PK box belonging to my wallet and ca6158991dda9b9ff0eb277ba196d14b20292ceec9e80e3ffd3463bb3a004898 is a P2S auction box.

Spending ca6158991dda9b9ff0eb277ba196d14b20292ceec9e80e3ffd3463bb3a004898 requires some conditions to be true in the assembled transaction. I can share the version of the auction house which is using the dapp connector to place bids. I think you can reproduce with that.

[deadit]

@rooooooooob maybe need update dapp connector nightly version to latest because last update chrome store version was in may

[rooooooooob]

@deadit It's unlikely you will have to update the connector extension itself very frequently, if at all. All the logic for the UI / signing / etc is inside of the Yoroi extension.

Here's which things the 2 extensions do:

yoroi-ergo-connector:

• Injects the API into the webpage, handles disconnects, etc
• Handles sending messages back and fourth from the page to Yoroi and back, RPC calls, etc.

yoroi-extension:

• Handing the UI opened by the connector
• Handling the API calls forwarded to us from the connector (signing, getting utxos, etc)

The reason we have it separate is more for security/permissions reasons (+ ability to opt-in to this functionality). The connector necessarily requires more permissions like the ability to access and modify every page you go to so that it can inject its API into the page and such, which we would rather not have to add into Yoroi. It doesn't look very appealing to users when they install the wallet (especially not knowing about the connector) and it says it can access/modify all pages they go to. We could have maybe done some runtime chrome permissions and tried to do both things fully within Yoroi with opt-in permissions, but we preferred this level of separation for security/privacy.

[anon-real]

@rooooooooob thanks for the clarification. So have you got any ideas about how this happens?

[rooooooooob]

@anon-real I haven't looked into it yet since there have been other issues that needed resolving first that were also easier to reproduce.

I can share the version of the auction house which is using the dapp connector to place bids.

That would help, as otherwise I'm not sure where to start in reproducing it, as the behavior of signing the P2S while ignoring the regular P2PK one is really weird. We had a problem of it removing the P2S inputs but that was resolved in #2081. Due to some issues relating to upgrading sigma-rust from 0.7.0 to 0.10.0 that we found after it was merged, it was not included in any official releases but it's tagged for 4.6.0 along with the other fixes I've been working on this week. But that's the opposite of this problem...

Currently (in develop as of that #2081 PR) we shouldn't be filtering any inputs that we aren't able to sign for some reason, but the problem still exists for non-owned data inputs, but that will be fixed soon-ish. I plan on starting on this early next week. That auction house would be of help so I can reproduce this myself since just by looking at it I'm unsure of what the problem is.

[rooooooooob]

I see your ErgoAuctionHouse repo. Is that it? Although I would ideally need some information how to use it/what to do to reproduce this issue. Or does it happen with all uses of it?

[oskin1]

@rooooooooob, thanks for clarifications! So when is the next Yoroi Nightly release?

[anon-real]

@rooooooooob I will deploy a version of the Auction House with which you can probably reproduce. I will provide instructions when it is deployed.

[anon-real]

@rooooooooob I have some strange problems which prevent me from deploying that version of the auction house.
So you will need to build the source which is quite easy:

• Checkout to this branch: https://github.com/anon-real/ErgoAuctionHouse/tree/dev
• npm install and npm run start
• In the menu, click on Other tokens
• Click on place bid

The website should connect to your wallet and create the tx and will be printed in the console.

However, since there is a token involved, your Yoroi will crash because of the issue I reported before. So when you are ready, please let me know to send you the token so Yoroi doesn't crash.

Please let me know if anything else is needed.

[rooooooooob]

@oskin1 We're hoping for maybe tomorrow.