[P1-N10] Warn users against re-using salts #1273
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Nick Pai <npai.nyc@gmail.com>
mrice32
reviewed
Apr 22, 2020
| @@ -358,6 +358,8 @@ contract Voting is Testable, Ownable, OracleInterface, VotingInterface { | |||
| * @notice Reveal a previously committed vote for `identifier` at `time`. | |||
| * @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | |||
| * that `commitVote()` was called with. Only the committer can reveal their vote. | |||
| * @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
| * it assumes that voters will never reuse the same pair of salt and price. Otherwise their commits could be easily disclosed in advance. | |||
There was a problem hiding this comment.
I think we should rephrase this slightly to discourage voters from reusing the same salt twice, not just salt-price pair. Since an attacker may have some ability to predict the price for a particular vote, so a known salt and an unknown price wouldn't offer that much protection.
| * @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | ||
| * that `commitVote()` was called with. Only the committer can reveal their vote. | ||
| * @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | ||
| * it assumes that voters will never reuse the same pair of salt and price. Otherwise their commits could be easily disclosed in advance. |
| @@ -153,7 +153,8 @@ Reveals a vote that the voter committed to during the commit period. | |||
| This method takes the `identifier` and `time` to identify the price request. | |||
|
|
|||
| So the reveal can be verified on-chain, the voter must also provide the `price` and `salt` that they used to compute | |||
| the `hash` that they passed to `commitVote`. | |||
| the `hash` that they passed to `commitVote`. Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
| it assumes that voters will never reuse the same pair of salt and price. Voters should never reuse pairs of salt and price or their commits can be disclosed in advance, and to be safe voters should avoid reusing salts in general. | |||
| @@ -153,7 +153,8 @@ Reveals a vote that the voter committed to during the commit period. | |||
| This method takes the `identifier` and `time` to identify the price request. | |||
|
|
|||
| So the reveal can be verified on-chain, the voter must also provide the `price` and `salt` that they used to compute | |||
| the `hash` that they passed to `commitVote`. | |||
| the `hash` that they passed to `commitVote`. Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
There was a problem hiding this comment.
nit: maybe we should also put this warning in the commitVote section.
Signed-off-by: Nick Pai <npai.nyc@gmail.com>
nicholaspai
commented
Apr 22, 2020
| `keccak256(price, salt)`, where price is the `int256` price value that they wish to submit and `salt` is a random | ||
| `int256` value. The voter must remember the `price` and `salt` that they submitted so they can reveal their commit | ||
| later - otherwise, the commit cannot be revealed and the vote won't be counted. | ||
| `keccak256(price, salt, time, address, roundId, identifier)`, where price is the `int256` price value that they wish to submit, `time` is the unix timestamp of the request being voted on, `address` is the voter's address (technically, the same one that will reveal the vote), `roundId` is the current voting round, `identifier` is the pricefeed identifier relevant to the price request, and `salt` is a random `int256` value. The voter must remember the inputs to the vote `hash` that they submitted so they can reveal their commit later - otherwise, the commit cannot be revealed and the vote won't be counted. |
There was a problem hiding this comment.
@rcai1 I changed this description to commitVote to reflect that the vote hash now requires additional information.
chrismaree
approved these changes
Apr 22, 2020
mrice32
reviewed
Apr 22, 2020
| * that `commitVote()` was called with. Only the committer can reveal their vote. | ||
| * @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | ||
| * voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | ||
| * they can easily reveal the vote. |
There was a problem hiding this comment.
Suggested change
| * they can easily reveal the vote. | |
| * they can easily determine the vote pre-reveal. |
| @@ -358,6 +358,9 @@ contract Voting is Testable, Ownable, OracleInterface, VotingInterface { | |||
| * @notice Reveal a previously committed vote for `identifier` at `time`. | |||
| * @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | |||
| * that `commitVote()` was called with. Only the committer can reveal their vote. | |||
| * @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
| * voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |||
| * they can easily reveal the vote. | |||
There was a problem hiding this comment.
Suggested change
| * they can easily reveal the vote. | |
| * they can easily determine the vote pre-reveal. |
| @@ -358,6 +358,9 @@ contract Voting is Testable, Ownable, OracleInterface, VotingInterface { | |||
| * @notice Reveal a previously committed vote for `identifier` at `time`. | |||
| * @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | |||
| * that `commitVote()` was called with. Only the committer can reveal their vote. | |||
| * @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | |||
| * voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |||
There was a problem hiding this comment.
Suggested change
| * voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |
| * voters should never reuse salts. If someone else is able to guess the voted price and knows that a salt will be reused, then |
| * @dev The revealed `price`, `salt`, `time`, `address`, `roundId`, and `identifier`, must hash to the latest `hash` | ||
| * that `commitVote()` was called with. Only the committer can reveal their vote. | ||
| * @dev Since transaction data is public, the salt will be revealed with the vote. While this is the system’s expected behavior, | ||
| * voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then |
There was a problem hiding this comment.
Suggested change
| * voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |
| * voters should never reuse salts. If someone else is able to guess the voted price and knows that a salt will be reused, then |
| `keccak256(price, salt, time, address, roundId, identifier)`, where price is the `int256` price value that they wish to submit, `time` is the unix timestamp of the request being voted on, `address` is the voter's address (technically, the same one that will reveal the vote), `roundId` is the current voting round, `identifier` is the pricefeed identifier relevant to the price request, and `salt` is a random `int256` value. The voter must remember the inputs to the vote `hash` that they submitted so they can reveal their commit later - otherwise, the commit cannot be revealed and the vote won't be counted. | ||
|
|
||
| Since transaction data is public, the salt will be revealed along with the vote. While this is the system’s expected behavior, | ||
| voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then |
There was a problem hiding this comment.
Suggested change
| voters should never reuse salts. If someone else is able to predict the voted price or knows that a price will be reused, then | |
| voters should never reuse salts. If someone else is able to guess the voted price and knows that a salt will be reused, then |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Nick Pai npai.nyc@gmail.com