Zoe is gullible to issuer's allegation of brand

[erights]

agoric-sdk/packages/zoe/src/state.js

Line 208 in d9bc9ec

const brandP = E(issuer).getBrand();

together with

agoric-sdk/packages/zoe/src/state.js

Lines 229 to 231 in d9bc9ec

	table.create(issuerRecord, brand);
	issuerToBrand.init(issuer, brand);
	issuersInProgress.delete(issuer);

enters a binding from the brand that the issuer alleges to an issuer record which includes the issuer. But a malicious issuer could report someone else's brand, disrupting Zoe's possible later attempt to register the true issuer of that brand. We just need to also check brand.isMyIssuer(issuer) to ensure they are mutually acceptable to each other. The pair may still misbehave, but they can't interfere with a later attempt to register the true owner of that brand.

There may be similar vulnerabilities elsewhere we ask an issuer for its brand without asking the brand's opinion.

[katelynsills]

Yup, this is indeed a vulnerability. We use the issuerTable in a couple of places: the Zoe Service, the Contract Facet, and the wallet. We should check each of these places. I think the Zoe redesign PR is an appropriate place for this change.

[katelynsills]

@erights does this address the vulnerability for at least the Zoe package? 4ec0070

[erights]

Yes, that looks good.

[katelynsills]

Fixed in agoric-sdk in #1414 but we should remain aware of this issue.

[katelynsills]

Closed in #1443