Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify the hashes match for latestHash in 'chelonia/private/in/syncContract' #1600

Closed
taoeffect opened this issue May 17, 2023 · 2 comments · Fixed by #1618
Closed

Verify the hashes match for latestHash in 'chelonia/private/in/syncContract' #1600

taoeffect opened this issue May 17, 2023 · 2 comments · Fixed by #1618
Assignees
@Silver-IT
Labels
App:Frontend Kind:Enhancement Improvements, new features, performance upgrades, etc. Note:Security

Comments

@taoeffect
Copy link
Member

taoeffect commented May 17, 2023
edited
Loading

Problem

In 'chelonia/private/in/syncContract', we have this line:

const latest = await sbp('chelonia/out/latestHash', contractID)

We then fetch the events up to whatever the latest hash is (since the most recent message we've processed):

const events = await sbp('chelonia/out/eventsSince', contractID, recent || contractID)

We currently do not verify that the latest hash is among those messages received, but we should.

Solution

Call GIMessage.deserialize on all the messages first, then starting from the end of the list, check to make sure one of the messages' hashes matches latest. If no such message can be found throw an error. Otherwise proceed with calling 'chelonia/private/in/handleEvent'
@taoeffect taoeffect added Kind:Enhancement Improvements, new features, performance upgrades, etc. Note:Up-for-grabs App:Frontend Note:Security labels May 17, 2023
@Silver-IT Silver-IT self-assigned this May 23, 2023
@Silver-IT
Copy link
Member

@taoeffect, when could this issue be happening?

@taoeffect
Copy link
Member Author

taoeffect commented May 23, 2023
edited
Loading

@Silver-IT if the server is compromised or there's a bug in the code

@Silver-IT Silver-IT mentioned this issue May 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Silver-IT Silver-IT

Labels
App:Frontend Kind:Enhancement Improvements, new features, performance upgrades, etc. Note:Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Minor improvement Chelonia okTurtles/group-income
2 participants
@taoeffect @Silver-IT