-
Notifications
You must be signed in to change notification settings - Fork 79
Reusing unprovided output #51
Comments
This is bad. I did not think about. Stealing of course cannot happen, because if an Alice doesn't see its output in the coinjoin, it won't sign (and unsigned Alice gets banned, this is actually the hidden blame protocol). But a new type of disruption is now possible. I'll spend all my time on this, until it gets addressed. |
Here's the fix. I'm going to add the following lines to the specification under DoS Attack section. DoS 4: What if Bob provides a signed output in the wrong round? If Bob refuses to provide an output in the round it acquired its signature, then the corresponding Alice gets banned in Signing phase, because she will not provide signature to the CoinJoin.
The question arises, why not use a random round identifier, instead of |
Maybe I can keep this open until you ack the fix. |
Thanks for the fix! Looks good ;) |
Me thanks. For the record I already implemented it. WalletWasabi/WalletWasabi@8d4c682 |
@anwfr I also credited you for identifying the attack, I hope that's ok with you. https://github.com/nopara73/ZeroLink/blob/master/README.md#can-this-system-be-bypassed-with-bitcoin-exchangesmixers-or-similar-services |
Sure! Thx :) |
I was wondering about the following scenario, if banning unprovided outputs is not implemented:
Would this enable her to disturb the round? (more outputs than expected)
Even maybe to steal money by getting her output instead of someone's else in transaction? (of course client should verify tx output before signing it...)
If so, blame protocol for banning unprovided outputs is a MUST.
Best regards
The text was updated successfully, but these errors were encountered: