Info

Download ZIP (24 KB)

Testing and Issues

You can test this entry and submit issues during the testing period of the Blockchain Contest contest.

Entries with serious issues will not be able to win the contest, but even minor issues might be important for overall results.

Voting

34

Comments

In the multisig folder you can find some FunC implementation of multisignature wallet smartcontract and fift scripts useful for interacting with it.
For more information please read the README document. Run the scripts by typing fift -s <script-name>.fif command. Launched with no arguments, a script will show the usage with some more details related to it.

Please ignore the __MACOSX folder, it got into the archive accidentally.
(See the Chic Dolphin's issue) The proper way to protect against the attack (attacker can replace signatures list) is to check not only the authenticity of the order itself, but also the authenticity of signature list before accepting the message. This issue can be fixed in two ways. The simplest is just to require to additionally sign the order along with the list of other signatures right before creating the external message and sending it. And accept a message only if the additional signature is correct. The create-external-message.fif script can be naturally modified to require a private key and add the additional signature. And some slight changes are to be made in the signature check code.

Another way is more complicated and it allows user to create external message with no need in additional signature. But the comment is too narrow to contain the description.
You have not added any comments yet...
by rating

Issues

Magic Python Nov 4, 2019 at 11:00
plus:
Very fast (0.035G for a transfer with n=16, k=10)
Garbage collect scans only expired entries.
All required features are implemented
accept_message() is called only after one signature was verified.
Catches exceptions to avoid fail after accept_message.

minus:
Works only after a minor bugfix.
One signature repeated multiple times is enough to execute an order.
11
> just processing internal messages in the way described in guidelines

Where did you got those?

That additional i < k is really nice. It prevents attacker from simply copying your signature 1000 times. Forcing you to do unnecessary checks after you accepted the message.

But you simply send the message if i == k. I don't need other signatures, I can simply sign it three times with a single key.
Suave Giraffe Oct 18, 2019 at 22:11
>Where did you got those?
From test.ton.org/smguidelines.txt. This link was in the general information section in the original TON Contest file describing the tasks.

> But you simply send the message if i == k.
Oh, you're right. That is my mistake. I should have processed the signatures in the same way as I do it in the update_order method, i.e. to make a mask of public key indexes and calculate the number of set bits in it. And only if it would still remain equal to k, send the message.
Magic Python Oct 22, 2019 at 13:24
Maybe I am doing something wrong? I am trying to create a wallet with n=16, k=10.

fift -s generate-keypairs.fif pubkeys p{1..16}
fift -s new-multiwallet.fif 16 10 0 pubkeys pubkeys

Then a create a wallet. This part is OK.

After it, I am trying to get key index with
runmethod <addr> pubkey_index  <pubkey_int>.

For some keys I got a valid index, but for more than a half of keys, I got -1.
Suave Giraffe Oct 22, 2019 at 14:33
The reason is in the line
int stored_pubkey = cs.preload_int(256);
instead of ...preload_uint(256); in the pubkey_index get method.
So if the key is greater than 2^255 - 1, it returns -1. Since the keys are uniform distributed, it returns -1 for about a half of the valid keys.

I did miscalculate the time necessary for the contest so I hadn't enough time to test the wallet well. I'm really sorry about that.
I can launch DoS attack with exception handler and drain some funds in the process. So upon seeing your message, I send a copy of it with modified signature list, leaving only the first one valid. It will pass through accept, and then crash, and then increment seqno. You'll be forced to sign another one. And I can repeat the process.
Suave Giraffe Oct 23, 2019 at 00:22
The problem is the same as in the previous issue: I should check the authenticity of signature list, not only of the order body.
Exception handler is beside the point: it serves only as a fuse for wallet owners -- in case they sign an invalid message, which could lead to an exception while being parsed. Not as a security mechanism.
Nobody added any issues yet...