Skip to content
This repository has been archived by the owner on Jun 11, 2024. It is now read-only.

Address collision results in public keys being overwritten #266

Closed
karmacoma opened this issue Aug 31, 2016 · 0 comments
Closed

Address collision results in public keys being overwritten #266

karmacoma opened this issue Aug 31, 2016 · 0 comments
Assignees
@karmacoma
Milestone
Version 0.4.0 / 0...

Comments

@karmacoma
Copy link
Contributor

karmacoma commented Aug 31, 2016
edited
Loading

In the event of an collision where the same passphrase resolves to the same LSK address, the public key on mem_accounts is overwritten, allowing transactions to be signed from the account using either of the colliding passphrases.

Initial resolution:

  • Change the behavior of the endpoints POST /api/accounts/open and POST /api/accounts/generatePublicKey, so that new mem_accounts entries are not created for unregistered addresses.
  • Change the behavior of the endpoint: PUT /api/transactions and other endpoints for various transaction types, so that a new mem_accounts entry is created, if the account is unregistered.
  • Make the publicKeyfor each entry in mem_accounts immutable.

Further mitigations:

  • Increase address size to reduce probability of collisions.
  • Deprecate the use of addresses and use only pubic keys.
@karmacoma karmacoma self-assigned this Aug 31, 2016
@karmacoma karmacoma added this to the Mainchain Stabilisation milestone Aug 31, 2016
karmacoma pushed a commit that referenced this issue Aug 31, 2016
Changing behaviour of __private.openAccount #266.
aa22bc4 
New accounts are no longer written to mem_accounts. Affects POST /api/accounts/open and POST /api/accounts/generatePublicKey.
karmacoma pushed a commit that referenced this issue Aug 31, 2016
Fixing test failures; Adding more coverage #266.
1336760 
Resulting from: fdd31191466e9b6a4c94d08f188fe8db81dc05e1.
karmacoma pushed a commit that referenced this issue Aug 31, 2016
Closes #264. Setting and getting sender account #266.
ca2a2c7 
Related to: b928c1804dab3f49a3e5ecdd0df1361c85550c4c.
karmacoma pushed a commit that referenced this issue Sep 2, 2016
Setting and getting sender account #266.
c528d4c
karmacoma pushed a commit that referenced this issue Sep 9, 2016
Describing POST /peer/transactions #266.
e48806f 
When two passphrases collide into the same address.
karmacoma pushed a commit that referenced this issue Sep 9, 2016
Checking sender address earlier #266.
3c600c2
karmacoma pushed a commit that referenced this issue Sep 9, 2016
Checking sender public key within proper context #266.
6376635
karmacoma pushed a commit that referenced this issue Sep 9, 2016
Verifying public key type, length and format #266.
a6fc203
karmacoma pushed a commit that referenced this issue Sep 9, 2016
Adding virgin column to mem_accounts #266.
ea1c143 
Indicating whether an unconfirmed transaction sent from an account has been applied.
karmacoma pushed a commit that referenced this issue Sep 9, 2016
Adding protect_mem_account trigger #266.
8dd1d44 
Making address, u_username, username, virgin, publicKey, and secondPublicKey columns immutable.
karmacoma pushed a commit that referenced this issue Sep 9, 2016
Changing virginity to false #266.
69aca9f 
When decrementing unconfirmed balance.
@SargeKhan SargeKhan mentioned this issue Apr 15, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@karmacoma karmacoma

Labels
None yet
Projects
None yet
Milestone
Version 0.4.0 / 0.5.0
Development

No branches or pull requests
1 participant
@karmacoma