Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

shielded-pool(spend): fix validation of dummy spends in spend proof #3871

Merged
merged 4 commits into from
Feb 24, 2024
Merged

shielded-pool(spend): fix validation of dummy spends in spend proof #3871

merged 4 commits into from
Feb 24, 2024

Conversation

avahowell
Copy link
Contributor

@avahowell avahowell commented Feb 23, 2024
edited
Loading

Instead of short circuiting all checks in the spend circuit in the case of a dummy spend (a note with value 0), this PR changes the spend circuit so that it only skips the SCT inclusion proof check. This addresses bug reported by Zellic in #3859 and ensures the integrity of spends with zero value.

I also added a test that reproduces the bug in main, and verifies that the proof verifier rejects dummy spends with invalid proofs.

@avahowell
fix nullifier griefing bug #3859
abbe262 
Instead of short circuiting all checks in the spend circuit in the case of a dummy spend (a note with value 0), this PR changes the spend circuit so that it only skips the SCT inclusion proof check. This prevents a nullifier griefing bug reported by Zellic in #3859 where an attacker watching the mempool can race transactions with a 0-value transaction, copying the signatures, in order to prevent a that nullifier from ever being spent.
@avahowell avahowell force-pushed the dummy-spend-circuit-fix branch from 7721b49 to abbe262 Compare February 23, 2024 00:47
@cratelyn cratelyn added the zellic-component-remediated Tag PRs that are remediating Zellic findings label Feb 23, 2024
@erwanor erwanor changed the title fix nullifier griefing bug #3859 shielded-pool(spend): fix nullifier griefing bug Feb 23, 2024
redshiftzero
redshiftzero approved these changes Feb 23, 2024
View reviewed changes
Copy link
Member

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks great!

@avahowell avahowell changed the title shielded-pool(spend): fix nullifier griefing bug shielded-pool(spend): fix validation of dummy spends in spend proof Feb 23, 2024
@avahowell avahowell merged commit de591bb into main Feb 24, 2024
6 checks passed
@avahowell avahowell deleted the dummy-spend-circuit-fix branch February 24, 2024 02:27
@avahowell avahowell mentioned this pull request Feb 24, 2024
Closed
2 tasks
hdevalence added a commit that referenced this pull request Feb 25, 2024
@hdevalence
ci: try restoring testnet-preview deployments
2fe391f 
From looking at the CI history, it seems like deployments have been failing
since #3871; this seems like it might be the cause, so I'll try reverting it
and seeing if that fixes the problem.
@hdevalence hdevalence mentioned this pull request Feb 25, 2024
Merged
hdevalence added a commit that referenced this pull request Feb 25, 2024
@hdevalence
ci: try restoring testnet-preview deployments (#3884)
28fdbb5 
From looking at the CI history, it seems like deployments have been
failing since #3871; this seems like it might be the cause, so I'll try
reverting it and seeing if that fixes the problem.
@cratelyn cratelyn mentioned this pull request Feb 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cronokirby cronokirby cronokirby approved these changes

@redshiftzero redshiftzero redshiftzero approved these changes

Assignees
No one assigned
Labels
zellic-component-remediated Tag PRs that are remediating Zellic findings
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@avahowell @redshiftzero @erwanor @cronokirby @cratelyn