fluidex / circuits

GNU Affero General Public License v3.0
10 stars 5 forks source link

security: order replay #159

Open lispc opened 3 years ago

lispc commented 3 years ago

seems not easy to prevent operator from replaying users' orders.

Be careful here.

ref: https://ethresear.ch/t/account-based-anonymous-rollup/6657

Like zCash, there is a Merkle tree to store the created money orders, and another Merkle tree to store the nullified money orders.

The current circuirts code may not be correct. A evil operator can put order into the tree more than once.

lispc commented 3 years ago

orderPos = orderId % 2**orderLevel seems very adhoc and limited. Client side have to 'fetch an available order id', then sign it....

Considering nullifier.

I think 'prove something happened/exists' in zkrollup is easy, while 'prove something did not happen / does not exist' seems a bit hard, nullifier is a general solution. But nullifier has some performance problems...

anyway ... it is not a blocking issue

lispc commented 3 years ago

https://medium.com/aztec-protocol/aztecs-zk-zk-rollup-looking-behind-the-cryptocurtain-2b8af1fca619

our Pedersen hashes are 5x more efficient than systems that use R1CS and 18x more efficient than regular Plonk