search

sherlock-audit / 2024-05-aleo-judging

0 stars 0 forks source link

morbsel - The `fee_private` function has public inputs that should be restricted to private #27

Closed sherlock-admin2 closed 1 week ago

sherlock-admin2 commented 2 weeks ago

morbsel

Medium

The fee_private function has public inputs that should be restricted to private

Summary

The fee_private function has public inputs, these inputs should be private to ensure the confidentiality of transaction details and maintain privacy.

Vulnerability Detail

In the fee_private function, the parameters r1, r2, and r3 are public. This exposes transaction details, such as the fee amount and execution ID, which should remain confidential.

Impact

Privacy leaks for users that interact with the function

Code Snippet

https://github.com/sherlock-audit/2024-05-aleo/blob/55b2e4a02f27602a54c11f964f6f610fee6f4ab8/snarkVM/synthesizer/program/src/resources/credits.aleo#L980-L985

Tool used

Manual Review

Recommendation

Change the visibility of the inputs r1, r2, and r3 from public to private.

morbsel commented 1 week ago

@evanmarshall is it the case that input functions declared as public are private when they are in a function block? Or are they public and this would be a valid finding?

evanmarshall commented 1 week ago

The fee_private has two public inputs (amount & transition_id) and one private input (record). It must be set up this way because validators need to know:

  1. If the fee is sufficient to pay for the transaction.
  2. The transition_id (already public) and it prevents the stealing of fees by validators by linking it to a specific execution.

The record input (encrypted UTXO) is private as it contains the identity of the user paying for the transaction ie who is actually doing the transaction is private.

morbsel commented 1 week ago

Okay thanks for the clarification