[bisq-network/bisq] Fix remaining blackmail vulnerabilities (#4789)

[chimp1984]

@chimp1984 requested changes on this pull request.



> @@ -32,6 +34,9 @@ public BuyerAsMakerSendsInputsForDepositTxResponse(TaskRunner<Trade> taskHandler
 
     @Override
     protected byte[] getPreparedDepositTx() {
-        return processModel.getPreparedDepositTx();
+        Transaction preparedDepositTx = processModel.getBtcWalletService().getTxFromSerializedTx(processModel.getPreparedDepositTx());
+        // Remove witnesses from preparedDepositTx, so that the seller can still compute the final
+        // tx id, but cannot publish it before providing the buyer with a signed delayed payout tx.
+        return preparedDepositTx.bitcoinSerialize(false);

The Transaction.bitcoinSerializeToStream method does use that flag not only for adding segwit data but also for writing a flag: 
```
 // marker, flag
        if (useSegwit) {
            stream.write(0);
            stream.write(1);
        }
```

I don't know which function this flag has, but maybe its more safe to remove the segwit data in a different way. Maybe @oscarguindzberg can add his input here...

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4789#pullrequestreview-530420690
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201113/82a527d5/attachment.html>