search

aeternity / aesophia

Stand alone compiler for the Sophia smart contract language
https://docs.aeternity.com/aesophia
ISC License
51 stars 19 forks source link

Encode entity type into delegation signature #475

Closed davidyuk closed 1 year ago

davidyuk commented 1 year ago

I've found 3 types of delegation signatures:

  1. network id + account address + contract address -- delegate AENS and Oracle operations
  2. network id + account address + name hash + contract address -- delegate an AENS name to a contract
  3. network id + query id + contract address -- delegate ability to reply to an oracle query

The addresses and ids are encoded as raw data, losing information on the entity type. In existing combinations, I can re-encode the current account address as an oracle query id and request the wallet to sign an oracle query delegation (3) and get a general delegation (1) instead.

If later we would introduce additional delegation signatures like network id + account address + channel address + contract address then functions signing a delegation of a new type can be misused to generate name delegation (2).

Currently, implementing a wallet API the correct way to name methods would be "sign network id, account address, and 32 bytes" instead of "sign network id, account address, and contract address".

The above issues may be solved by encoding address the same way as in transactions, using this mapping https://github.com/aeternity/aeserialization/blob/177bf604b2a05e940f92cf00e96e6e269e708245/src/aeser_id.erl#L97-L102

hanssv commented 1 year ago

Again, good observation! ... and again - nothing really to do with the Sophia compiler.