[bisq-network/bisq] Fix remaining blackmail vulnerabilities (#4789)
Oscar Guindzberg
notifications at github.com
Sat Nov 14 00:35:48 CET 2020
@oscarguindzberg commented on this pull request.
> @@ -32,6 +34,9 @@ public BuyerAsMakerSendsInputsForDepositTxResponse(TaskRunner<Trade> taskHandler
@Override
protected byte[] getPreparedDepositTx() {
- return processModel.getPreparedDepositTx();
+ Transaction preparedDepositTx = processModel.getBtcWalletService().getTxFromSerializedTx(processModel.getPreparedDepositTx());
+ // Remove witnesses from preparedDepositTx, so that the seller can still compute the final
+ // tx id, but cannot publish it before providing the buyer with a signed delayed payout tx.
+ return preparedDepositTx.bitcoinSerialize(false);
the function of the flag is "tx serialzed using the new segwit format".
bitcoinSerialize(false) seems fine if you want to avoid sending the signatures.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4789#discussion_r523285465
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201113/e3e13ded/attachment-0001.html>
More information about the bisq-github
mailing list