fix(tokens): Hash tokens in `tokens` module to resist ND2DB-style timing attack

rivet-gg / opengb-modules

Official registry of OpenGB modules.

https://opengb.dev

Apache License 2.0

0 stars 1 forks source link

fix(tokens): Hash tokens in `tokens` module to resist ND2DB-style timing attack #83

Open Blckbrry-Pi opened 2 months ago

Blckbrry-Pi commented 2 months ago

Resolves OGB-53

Blckbrry-Pi commented 2 months ago

#83 👈
#103 : 2 other dependent PRs (#86 , #104 )
main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @Blckbrry-Pi and the rest of your teammates on Graphite

linear[bot] commented 2 months ago

OGB-53 Combination of B-Tree index + unhashed tokens may leave `tokens` vulnerable to a ND2DB-adjacent timing attack.

Blckbrry-Pi commented 1 month ago

I'm not too familiar with this kind if attack, is it possible to write a unit test that confirms this attack is no longer valid after this patch?

Almost definitely not. The theoretical timing attack I proposed would probably take about 3 days minimum to attempt, and that would be if the attacker was on the lucky side.

I can almost guarantee that this style of timing attack will be impossible until a method is released to manipulate SHA256 hashes bit by bit.