-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A malicious slot leader can drop signatures #3568
Comments
@garious how is the first signature valid? Each signature signs the entire transaction, which includes all the public keys, and if each key requires a signature. |
The signer can't sign the entire transaction, because that'd include the signature, which doesn't exist yet. It also doesn't sign the length of the signatures vector. Instead, it signs the whole Message struct, which includes a |
@garious The signer signs the list of pubkeys, and which are expected to provide a signature, as well as the message. The signatures are appended after. The transaction should be rejected as invalid before payment if any of the signatures fail the check. |
The signer signs a list of pubkeys which includes some which need a corresponding signature and some that don't. If the attacker reduces the number in the first byte of the transaction, then sigverify will successfully verify fewer signatures than the number in Message::num_required_signatures. |
@garious, the signature covers all the pubkeys, including the signers as well as the num required. |
But sigverify uses the first byte (unsigned) to determine how many signatures to verify, not Message::num_required_signatures, which is signed. |
Reducing the required number changes the message hash and breaks all the signatures. So a leader can’t do that. A malicious drone can’t change the number either, because it breaks some of the signatures and the entire TX is marked as failed. |
@garious, that’s funny. I guess we just need to check it’s the same value in tx.verify |
Reject transactions when there is a mismatch between tx.signatures.len() and tx.message().num_required_signatures. Fixes solana-labs#3568
Reject transactions when there is a mismatch between tx.signatures.len() and tx.message().num_required_signatures. Fixes solana-labs#3568
Fixed |
Problem
A malicious slot leader could drop all but the first transaction signatures, causing the first signer to pay the transaction fee, but then see the program reject it because of missing signatures.
Proposed Solution
sigverify should reject transactions when there is a mismatch between
tx.signatures.len()
andtx.message().num_required_signatures
.tag: @sakridge
The text was updated successfully, but these errors were encountered: