security: order replay

[lispc]

seems not easy to prevent operator from replaying users' orders.

Be careful here.

ref: https://ethresear.ch/t/account-based-anonymous-rollup/6657

Like zCash, there is a Merkle tree to store the created money orders, and another Merkle tree to store the nullified money orders.

The current circuirts code may not be correct. A evil operator can put order into the tree more than once.

[lispc]

orderPos = orderId % 2**orderLevel seems very adhoc and limited. Client side have to 'fetch an available order id', then sign it....

Considering nullifier.

I think 'prove something happened/exists' in zkrollup is easy, while 'prove something did not happen / does not exist' seems a bit hard, nullifier is a general solution. But nullifier has some performance problems...

anyway ... it is not a blocking issue

[lispc]

https://medium.com/aztec-protocol/aztecs-zk-zk-rollup-looking-behind-the-cryptocurtain-2b8af1fca619

our Pedersen hashes are 5x more efficient than systems that use R1CS and 18x more efficient than regular Plonk