[bisq-network/bisq] Fix remaining blackmail vulnerabilities (#4789)
Steven Barclay
notifications at github.com
Sat Nov 14 21:22:50 CET 2020
I just spotted that I accidentally used the non-segwit version of `Script.correctlySpends`, when checking the p2wsh signature of the delayed payout tx (during `BuyerFinalizesDelayedPayoutTx`), on line 774 of `TradeWalletService`:
> input.getScriptSig().correctlySpends(delayedPayoutTx, 0, scriptPubKey, Script.ALL_VERIFY_FLAGS);
This erroneously skips the check, as the ScriptSig is empty. I need to additionally pass the witness and locked up trade amount. I'll post another commit to fix this shortly.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/4789#issuecomment-727260511
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20201114/fd77cb15/attachment.html>
More information about the bisq-github
mailing list