axelarnetwork / tofn

A threshold cryptography library in Rust
Apache License 2.0
112 stars 23 forks source link

fix: non-Paillier-related NCC findings #157

Closed ggutoski closed 3 years ago

ggutoski commented 3 years ago

This PR addresses all remaining findings from the NCC audit (including appendix) except those related to Paillier---namely, finding numbers 003, 004, 005. Those findings will be handled in a separate PR along with Paillier improvements.

That leaves only the following items covered by this PR: findings 001, 006, and an un-numbered note from the appendix on session nonce length range checks.

As of this PR, all notes from the appendix are complete and the status of numbered findings is as follows:

Draft status

Need to verify that the new length restrictions on session nonce do not break existing usage in axelar-core. Until then, this PR is stuck in draft mode.

Currently, the only use of the affected session nonce by axelar-core is for the new_key_uid in keygen: https://github.com/axelarnetwork/grpc-protobuf/blob/afb7358f2051370950881220be6ae51f4dbafdb9/grpc.proto#L109 On the axelar-core side, this uid is provided by the end user via CLI command: https://github.com/axelarnetwork/axelar-core/blob/0cd3073bd4745c97112f2a7948fed19c9c1e4359/x/tss/client/cli/tx.go#L40 As such, the only restriction on uid length is that it be nonzero.

How to proceed?

Options:

@cgorenflo any opinions?

ggutoski commented 3 years ago

The corresponding axelar-core PR axelarnetwork/axelar-core#815 has now been merged.