[bisq-network/bisq] Fix remaining blackmail vulnerabilities (#4789)
chimp1984
notifications at github.com
Fri Nov 13 22:23:26 CET 2020
@chimp1984 requested changes on this pull request.
> @@ -32,6 +34,9 @@ public BuyerAsMakerSendsInputsForDepositTxResponse(TaskRunner<Trade> taskHandler
@Override
protected byte[] getPreparedDepositTx() {
- return processModel.getPreparedDepositTx();
+ Transaction preparedDepositTx = processModel.getBtcWalletService().getTxFromSerializedTx(processModel.getPreparedDepositTx());
+ // Remove witnesses from preparedDepositTx, so that the seller can still compute the final
+ // tx id, but cannot publish it before providing the buyer with a signed delayed payout tx.
+ return preparedDepositTx.bitcoinSerialize(false);
The Transaction.bitcoinSerializeToStream method does use that flag not only for adding segwit data but also for writing a flag:
```
// marker, flag
if (useSegwit) {
stream.write(0);
stream.write(1);
}
```
I don't know which function this flag has, but maybe its more safe to remove the segwit data in a different way. Maybe @oscarguindzberg can add his input here...
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4789#pullrequestreview-530420690
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201113/82a527d5/attachment.html>
More information about the bisq-github
mailing list