Range check #74

rrtoledo · 2019-09-16T09:45:42Z

PR related to issue #38

AntoineRondelet · 2019-10-02T14:57:36Z

zeth-contracts/contracts/BaseMixer.sol

@@ -189,6 +191,10 @@ contract BaseMixer is MerkleTreeMiMC7, ERC223ReceivingContract {
            digest_inputs[0] = primary_inputs[i]; // See the way the inputs are ordered in the extended proof
            digest_inputs[1] = primary_inputs[i+1];
            bytes32 current_commitment = Bytes.sha256_digest_from_field_elements(digest_inputs);
+            require(
                uint256(current_commitment) < r,


The double spending threat has to do with the nullifier, not the commitments.
Basically, N and N + MP lie in the same equiv. class mod P, thus you can we need to make sure that no one is able to use multiple elements from a same equiv class mod P to carry out double spendings. That's why we need to make sure that we only accept primary inputs that are < P (P being the scalar field prime here).

Ah sorry I removed this check from the assemble function and forgot to add it again (c.f. last commit) (since the assemble function should disappear with the new packing policy).

It is written in the issue to check the primary inputS so I thought you also might want to check tall of them.

Please make sure to double check the diffs of your PRs next time

You were not checking the right thing here.
In the lines commented above you compare a 256-bit number with the scalar field characteristic r (encoded on 253 bits), I think you haven't ran the python tests. I haven't but I'd bet they would fail most of the time (nothing should prevent your nullifiers and commitments, both output of sha256 or blake2s to be smaller than r, why did you think they should?)

Yeah I saw some tests failing.
I thought that these commitments were the field commitments already and not the blake2s digests.

So do I understand correctly that you wanted to merge to develop a piece of code that:

Does not fix the vulnerability

Breaks the tests
??

It does not make any sense. If you are assigned to an issue, this is your responsibility to fix it. The goal is not to push an half-baked patch that breaks half of the tests, ask a review and move to the next one.

AntoineRondelet · 2019-10-02T15:31:48Z

Fixed in #85

Range check

AntoineRondelet reviewed Oct 2, 2019

View reviewed changes

Added range check on primary inputs to prevent double spendings

3445336

AntoineRondelet force-pushed the range_check branch from 7923703 to 3445336 Compare October 3, 2019 06:58

AntoineRondelet self-assigned this Oct 3, 2019

AntoineRondelet added 4 commits October 4, 2019 12:23

Added attack to the tests

5225c78

Fixed typo and comments

cd7692f

Added check to ERC token mixing test

181da91

Added link to issue in code

332c48f

AntoineRondelet merged commit 118b8d9 into develop Oct 4, 2019

AntoineRondelet mentioned this pull request Oct 4, 2019

Double spending threat if no range check is done on public inputs in verifier #38

Closed

AntoineRondelet deleted the range_check branch October 18, 2019 08:29

AntoineRondelet added a commit that referenced this pull request May 6, 2020

Merge pull request #74 from clearmatics/range_check

d35081a

Range check

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Range check #74

Range check #74

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Range check #74

Range check #74

Uh oh!

Conversation

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!