Comments (2)
jrick
commented on May 22, 2024
Thank you for bringing this to our attention. You are certainly correct that fraud could be performed between two currencies that have different maximum script push sizes, and that placing and verifying the actual length in the contract allows it to be audited.
We will make the appropriate changes to add the extra validation, and not accept any implementations for coins with a different maximum script push size until this is resolved. Just to reduce complexity, I think only working with a single known good secret size is best, instead of trying to support anything under the maximum.
If you haven't yet reported it, please bring this to the attention of the BIP0199 authors, as their example script is similarly vulnerable and the BIP will be widely referenced by implementors.
from atomicswap.
markblundeberg
commented on May 22, 2024
Thanks for the fast response!
I agree with what you say --- the simplest fix is that all contracts should be checked for standard form that includes a hardcoded secret size check of 32 bytes. No variation allowed.
I've sent an email to the authors you suggested, cheers!
from atomicswap.
Related Issues (20)
- [btcamoticswap] deprecated signrawtransaction command
- [btcatomicswap] sendrawtransaction wrong param HOT 1
- gRPC Implementation
- DRY Implementation
- getrawchangeaddres: status code: 401, response: "" HOT 2
- Monero (XMR) Atomic Swap with BTC or BCH
- Adding Ethereum support HOT 28
- golint errors
- btcatomicswap auditcontract from output address (redeem address) HOT 4
- support requirements HOT 2
- participant address is not P2PKH HOT 1
- How can A receive the DCR and B receive BTC? HOT 3
- specification for the atomic swap communications side-channel? HOT 3
- I'd like to use this as a library HOT 1
- Why is auditcontract an offline Command? HOT 7
- obfuscated secrets: basic extractsecret can fail for non-push-only scriptsig HOT 9
- New coin want to be swaped HOT 3
- Building on top of decred/atomic swaps code - Next Steps HOT 4
- Switch to go modules
- polisatomicswap fails to build due to missing dependencies HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from atomicswap.