Skip to content
Permalink
Browse files Browse the repository at this point in the history
Patch serial # exploit.
The serial # range needs to be checked or else the serial number is able to be incremented to a value that will create a valid proof, thus allowing multiple spends of a single mint.
  • Loading branch information
presstab committed Nov 15, 2017
1 parent b3618fa commit ce103a0
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
10 changes: 10 additions & 0 deletions CoinSpend.cpp
Expand Up @@ -29,6 +29,11 @@ CoinSpend::CoinSpend(const Params* p, const PrivateCoin& coin,
throw ZerocoinException("Accumulator witness does not verify");
}

// The serial # needs to be within the specified range our else it can be incremented by the modulus and create another valid proof
if (!HasValidSerial()) {
throw ZerocoinException("Invalid serial # range");
}

// 1: Generate two separate commitments to the public coin (C), each under
// a different set of public parameters. We do this because the RSA accumulator
// has specific requirements for the commitment parameters that are not
Expand Down Expand Up @@ -79,4 +84,9 @@ const uint256 CoinSpend::signatureHash(const SpendMetaData &m) const {
return h.GetHash();
}

bool CoinSpend::HasValidSerial() const
{
return coinSerialNumber > 0 && coinSerialNumber < params->coinCommitmentGroup.groupOrder;
}

} /* namespace libzerocoin */
1 change: 1 addition & 0 deletions CoinSpend.h
Expand Up @@ -76,6 +76,7 @@ class CoinSpend {
*/
const CoinDenomination getDenomination();

bool HasValidSerial() const;
bool Verify(const Accumulator& a, const SpendMetaData &metaData) const;

IMPLEMENT_SERIALIZE
Expand Down

0 comments on commit ce103a0

Please sign in to comment.