Edgecase Squared: Cross-plasmachain replay attack

FourthState / plasma-mvp-rootchain

smart contract implementation according to the Plasma MVP spec.

Apache License 2.0

79 stars 24 forks source link

Edgecase Squared: Cross-plasmachain replay attack #48

Closed AdityaSripal closed 5 years ago

AdityaSripal commented 6 years ago

Currently we have users sign over the RLP-encoded tx.

If a user owns the same UTXO position on two different plasma chains and they spend the UTXO on one chain, a malicious receiver can publish the same transaction on the other chain and take both UTXOs.

Solution: User signs over the RLP-encoded tx as well as the rootchain smart-contract address.

AdityaSripal commented 5 years ago

Solved with changes to confirmationHash

Now: hash(txHash | block.root)