[bisq-network/bisq] Fix remaining blackmail vulnerabilities (#4789)

Oscar Guindzberg notifications at github.com
Sat Nov 14 00:35:48 CET 2020


@oscarguindzberg commented on this pull request.



> @@ -32,6 +34,9 @@ public BuyerAsMakerSendsInputsForDepositTxResponse(TaskRunner<Trade> taskHandler
 
     @Override
     protected byte[] getPreparedDepositTx() {
-        return processModel.getPreparedDepositTx();
+        Transaction preparedDepositTx = processModel.getBtcWalletService().getTxFromSerializedTx(processModel.getPreparedDepositTx());
+        // Remove witnesses from preparedDepositTx, so that the seller can still compute the final
+        // tx id, but cannot publish it before providing the buyer with a signed delayed payout tx.
+        return preparedDepositTx.bitcoinSerialize(false);

the function of the flag is "tx serialzed using the new segwit format".
bitcoinSerialize(false) seems fine if you want to avoid sending the signatures.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4789#discussion_r523285465
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201113/e3e13ded/attachment-0001.html>


More information about the bisq-github mailing list