verifymessagewithname in SPV is insecure

[pinheadmz]

https://github.com/kyokan/bob-wallet/blob/6f3f93bf202740f27cda1b46684d78e94ae68a96/app/background/node/service.js#L491-L514

This is (a) broken because getNameInfo() will always return null for every name in SPV mode. (rpc getnameinfo relies on the Urkel Tree, which in SPV mode is always empty). It is (b) insecure because it relies on an API server to getCoin() (even though it never will, because getnameinfo will always be null)

Verify with name is possible in SPV mode though, consider this:

• Request Urkel proof for name from full node, which returns a complete NameState object
• NameState contains owner which is hash and index of a UTXO
• Bob Wallet requests the ENTIRE TX from API server with that hash
• Bob verifies the TX from the server hashes to the hash in NameState.owner
• Bob now has the coin that owns the name: by looking up the index in the TX it just verified
• Bob now has the address that owns the name and everything is verified.

Update: ok I misread the code, getnameinfo is actually fetched from the API server, so its not broken its just insecure.

[rithvikvibhu]

Request Urkel proof for name from full node, which returns a complete NameState object

With https://github.com/handshake-org/hsd/pull/647 it's possible to get the namestate, but it will be stale (2 hours?) so would need a warning or something I guess.