New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[P1-N10] Warn users against re-using salts #1273
Conversation
Signed-off-by: Nick Pai <npai.nyc@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks awesome! Thanks for adding this. Just a few minor comments.
@@ -358,6 +358,8 @@ contract Voting is Testable, Ownable, OracleInterface, VotingInterface { | |||
* @notice Reveal a previously committed vote for `identifier` at `time`. | |||
* @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | |||
* that `commitVote()` was called with. Only the committer can reveal their vote. | |||
* @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
* it assumes that voters will never reuse the same pair of salt and price. Otherwise their commits could be easily disclosed in advance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should rephrase this slightly to discourage voters from reusing the same salt twice, not just salt-price pair. Since an attacker may have some ability to predict the price for a particular vote, so a known salt and an unknown price wouldn't offer that much protection.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
* @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | ||
* that `commitVote()` was called with. Only the committer can reveal their vote. | ||
* @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | ||
* it assumes that voters will never reuse the same pair of salt and price. Otherwise their commits could be easily disclosed in advance. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as above.
@@ -153,7 +153,8 @@ Reveals a vote that the voter committed to during the commit period. | |||
This method takes the `identifier` and `time` to identify the price request. | |||
|
|||
So the reveal can be verified on-chain, the voter must also provide the `price` and `salt` that they used to compute | |||
the `hash` that they passed to `commitVote`. | |||
the `hash` that they passed to `commitVote`. Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
it assumes that voters will never reuse the same pair of salt and price. Voters should never reuse pairs of salt and price or their commits can be disclosed in advance, and to be safe voters should avoid reusing salts in general. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment as above.
@@ -153,7 +153,8 @@ Reveals a vote that the voter committed to during the commit period. | |||
This method takes the `identifier` and `time` to identify the price request. | |||
|
|||
So the reveal can be verified on-chain, the voter must also provide the `price` and `salt` that they used to compute | |||
the `hash` that they passed to `commitVote`. | |||
the `hash` that they passed to `commitVote`. Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: maybe we should also put this warning in the commitVote section.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good idea done.
Signed-off-by: Nick Pai <npai.nyc@gmail.com>
`keccak256(price, salt)`, where price is the `int256` price value that they wish to submit and `salt` is a random | ||
`int256` value. The voter must remember the `price` and `salt` that they submitted so they can reveal their commit | ||
later - otherwise, the commit cannot be revealed and the vote won't be counted. | ||
`keccak256(price, salt, time, address, roundId, identifier)`, where price is the `int256` price value that they wish to submit, `time` is the unix timestamp of the request being voted on, `address` is the voter's address (technically, the same one that will reveal the vote), `roundId` is the current voting round, `identifier` is the pricefeed identifier relevant to the price request, and `salt` is a random `int256` value. The voter must remember the inputs to the vote `hash` that they submitted so they can reveal their commit later - otherwise, the commit cannot be revealed and the vote won't be counted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rcai1 I changed this description to commitVote
to reflect that the vote hash now requires additional information.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few small language suggestions.
* that `commitVote()` was called with. Only the committer can reveal their vote. | ||
* @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | ||
* voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | ||
* they can easily reveal the vote. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* they can easily reveal the vote. | |
* they can easily determine the vote pre-reveal. |
@@ -358,6 +358,9 @@ contract Voting is Testable, Ownable, OracleInterface, VotingInterface { | |||
* @notice Reveal a previously committed vote for `identifier` at `time`. | |||
* @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | |||
* that `commitVote()` was called with. Only the committer can reveal their vote. | |||
* @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
* voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |||
* they can easily reveal the vote. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* they can easily reveal the vote. | |
* they can easily determine the vote pre-reveal. |
@@ -358,6 +358,9 @@ contract Voting is Testable, Ownable, OracleInterface, VotingInterface { | |||
* @notice Reveal a previously committed vote for `identifier` at `time`. | |||
* @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | |||
* that `commitVote()` was called with. Only the committer can reveal their vote. | |||
* @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
* voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |
* voters should never reuse salts. If someone else is able to guess the voted price and knows that a salt will be reused, then |
* @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | ||
* that `commitVote()` was called with. Only the committer can reveal their vote. | ||
* @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | ||
* voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |
* voters should never reuse salts. If someone else is able to guess the voted price and knows that a salt will be reused, then |
`keccak256(price, salt, time, address, roundId, identifier)`, where price is the `int256` price value that they wish to submit, `time` is the unix timestamp of the request being voted on, `address` is the voter's address (technically, the same one that will reveal the vote), `roundId` is the current voting round, `identifier` is the pricefeed identifier relevant to the price request, and `salt` is a random `int256` value. The voter must remember the inputs to the vote `hash` that they submitted so they can reveal their commit later - otherwise, the commit cannot be revealed and the vote won't be counted. | ||
|
||
Since transaction data is public, the salt will be revealed along with the vote. While this is the system’s expected behavior, | ||
voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |
voters should never reuse salts. If someone else is able to guess the voted price and knows that a salt will be reused, then |
Signed-off-by: Nick Pai npai.nyc@gmail.com