Outsource masp signature verification #3372
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3372 +/- ##
==========================================
- Coverage 53.48% 53.46% -0.03%
==========================================
Files 320 320
Lines 110000 110031 +31
==========================================
- Hits 58832 58824 -8
- Misses 51168 51207 +39 ☔ View full report in Codecov by Sentry. |
grarco
force-pushed
the
grarco/outsource-masp-sig-verification
branch
from
9c0361a
to
3add4d0
Compare
| ) | ||
| .map_err(native_vp::Error::new)?; | ||
| // Otherwise the owner's vp must have been triggered | ||
| if !verifiers.contains(signer) { |
There was a problem hiding this comment.
I would almost certainly agree with this logic if signer's VP was being executed on the state change being checked by this MASP VP minus the state changes induced by the inner Transaction. My concern here is as follows: imagine Alice constructs an unshielding Transaction of 10 BTC to Bertha. Now imagine that Christel intercepts this Transaction and embeds it inside a Transfer Tx that increases the balance of Christel by 10 BTC (instead of Bertha who is the rightful recipient). In this case, since Tx is effectively two transfers (an unshielding Transaction of 10 BTC to Bertha followed by a transparent Transfer of 10 BTC from Bertha to Christel), the signers map would contain Bertha's address. My specific concern here is that Bertha's VP doesn't see this foul play (of rehousing the Transaction in a different Tx) and always accepts the state change because the net change to Bertha's balance as a result of the entire state change is zero (after all, Bertha is only mentioned in the transparent output of the Transaction). To me this approach would only make sense if the verifiers could be made to specifically validate just the "effective" Transfer of 10 BTC from Bertha to Christel (which would be the result of doing the above "subtraction"), in which case they would certainly demand an authorization signature from Bertha (as was being done before in an admittedly restrictive way). Am I missing something here?
There was a problem hiding this comment.
So this PR only removes the signature verification and requests the corresponding VP to be triggered. As you are saying though, Bertha's VP would not reject the tx in the attack scenario you described because the balance change is 0. To make this work I've introduced a new masp Action (i.e. a temporary write to write log that is not committed to storage) with the address of the verifier whose vp we want to check this tx (in this case Bertha). Again, the 0 balance change would lead to the tx being accepted, so on top of that, I've updated the implicit and user VPs to handle this Action with a signature check (but custom vps could add more checks if desired): so the signature check has been simply moved from the masp vp to the user and implicit vps.
For this logic to work we need some cooperation from the tx which must write the temporary action key(s) required (the ones carrying the addresses whose extra signatures have been attached to the tx).
I believe this logic is ok (but please double check again) but I think that there are other flaws in this this implementation of mine:
- Even though the
Actioncarries the address of the signer this does not trigger its vp, since it's not the leading part of the key and we don't trigger VPs anymore if their address appear in non-leading locations of a key (@tzemanovic please correct me if I'm wrong). In this case we need a way for the tx to trigger the required VPs - Checking that the VPs have been triggered is not enough. Someone could craft a tx that does not write the required actions but for which the relevant VPs are still triggered. In this case we could end up in the scenario you envisioned. On top of checking that VPs have been triggered we should also check that the corresponding
Actionhas been written to storage to ensure that the VP will run the correct validation
Note that, as I've already answered Tomas before, at the moment the transactions do not support this Action logic cause with the previous design of vectorized transfers these scenario could not happen. It will become relevant after the new vectorized strategy has been merged
There was a problem hiding this comment.
For a single transfer I think we would need do something like this:
- If a VP of an address who must authorize the tx is not going to be triggered from the changed keys (yes, it is only the leading part) then the tx has to
insert_verifier - The MASP VP should require an
Actionto be written so a tx is not allowed to skip it (i.e. actions must not be empty)
For these to work together the MASP VP should then ensure that when the action is MaspSigner then the address in this action is contained in the verifiers set.
However, with the scenario with multiple transfers @murisi described I think this may not be sufficient. A tx could only attach a single action despite performing multiple actions. We might then need to add more information to the actions to describe the transfers in more detail and the MASP and user/implicit VPs will have to enforce that the storage changes match these actions. In this example, for the unshielding action from Alice we could have e.g. Action::Unshield { dest, amount } where dest == Bertha`` and if Christel` was to maliciously embed this transfer in another tx, either:
- Only with the original action, an increase in Christel's balance would not be matching the action (the MASP VP has to check the transparent bundle's
vout.addressagainst the actions to enforce this) - With the original action and added
Action::Transparent { src, dest, amount }wheresrc == Bertha,dest == Christelandamount == 10, the user/implicit VP must require signature from Bertha (even if the overall balance change of Bertha is 0) - Without the original action, but with an
Action::Unshieldwheredest == Christel, the side-effects of the storage changes would not match the actions (the actual unshieldingdestis Bertha)
There was a problem hiding this comment.
So this PR only removes the signature verification and requests the corresponding VP to be triggered.
Ah, I completely misread the approach taken by this PR. My bad.
but custom vps could add more checks if desired
I see. And at the bare minimum, custom VPs must not forget to handle MASP Actions.
In this case we need a way for the tx to trigger the required VPs
Nice, I see you've now covered this case.
On top of checking that VPs have been triggered we should also check that the corresponding Action has been written to storage to ensure that the VP will run the correct validation
Nice, I see you've also covered this case.
There was a problem hiding this comment.
For a single transfer I think we would need do something like this:
1. If a VP of an address who must authorize the tx is not going to be triggered from the changed keys (yes, it is only the leading part) then the tx has to `insert_verifier` 2. The MASP VP should require an `Action` to be written so a tx is not allowed to skip it (i.e. actions must not be empty)For these to work together the MASP VP should then ensure that when the action is
MaspSignerthen the address in this action is contained in theverifiersset.
At least in the current PR, this is all covered right? The current conditional forces the presence of the signer in the verifiers list. The next conditional forces the presence of the corresponding MaspSigner Action.
However, with the scenario with multiple transfers @murisi described I think this may not be sufficient.
The signer variable in this loop takes on as its value each of the Addresses whose balances are debited during processing (even if their net change is zero), so if this verifier check and the following MaspSigner check is correct then this VP should prevent Christel from committing thievery (since the Tx would be forced to trigger the signature checks elsewhere). Right?
grarco
force-pushed
the
grarco/outsource-masp-sig-verification
branch
from
af6f1dc
to
fc7ab93
Compare
| ) | ||
| .map_err(native_vp::Error::new)?; | ||
| // Otherwise the owner's vp must have been triggered | ||
| if !verifiers.contains(signer) { |
There was a problem hiding this comment.
So this PR only removes the signature verification and requests the corresponding VP to be triggered.
Ah, I completely misread the approach taken by this PR. My bad.
but custom vps could add more checks if desired
I see. And at the bare minimum, custom VPs must not forget to handle MASP Actions.
In this case we need a way for the tx to trigger the required VPs
Nice, I see you've now covered this case.
On top of checking that VPs have been triggered we should also check that the corresponding Action has been written to storage to ensure that the VP will run the correct validation
Nice, I see you've also covered this case.
| ) | ||
| .map_err(native_vp::Error::new)?; | ||
| // Otherwise the owner's vp must have been triggered | ||
| if !verifiers.contains(signer) { |
There was a problem hiding this comment.
For a single transfer I think we would need do something like this:
1. If a VP of an address who must authorize the tx is not going to be triggered from the changed keys (yes, it is only the leading part) then the tx has to `insert_verifier` 2. The MASP VP should require an `Action` to be written so a tx is not allowed to skip it (i.e. actions must not be empty)For these to work together the MASP VP should then ensure that when the action is
MaspSignerthen the address in this action is contained in theverifiersset.
At least in the current PR, this is all covered right? The current conditional forces the presence of the signer in the verifiers list. The next conditional forces the presence of the corresponding MaspSigner Action.
However, with the scenario with multiple transfers @murisi described I think this may not be sufficient.
The signer variable in this loop takes on as its value each of the Addresses whose balances are debited during processing (even if their net change is zero), so if this verifier check and the following MaspSigner check is correct then this VP should prevent Christel from committing thievery (since the Tx would be forced to trigger the signature checks elsewhere). Right?
| @@ -53,7 +53,9 @@ fn apply_tx(ctx: &mut Ctx, tx_data: BatchedTx) -> TxResult { | |||
| .wrap_err("Encountered error while handling MASP transaction")?; | |||
| update_masp_note_commitment_tree(&shielded) | |||
| .wrap_err("Failed to update the MASP commitment tree")?; | |||
| ctx.push_action(Action::Masp(MaspAction { masp_section_ref }))?; | |||
| ctx.push_action(Action::Masp(MaspAction::MaspSectionRef( | |||
There was a problem hiding this comment.
The MASP integration tests seem to be failing for me. Probably they are failing on at least the shielding transactions because their signers have not been added as actions. So I think we need to push some MaspSigner Actions in this vicinity - the same set that will be iterated through in the for signer in signers { loop if we desire to support the Christel thieving corner case above. But at the least, all of the net debited accounts should at least be added to the MaspSigner Actions. No?
There was a problem hiding this comment.
That's correct. I'm fixing this issue rn
|
Ok so I've pushed some more commits, to recap:
One small annoyance, the masp vp considers required authorizers all the addresses whose balance has decreased: this includes balances that had nothing to do with the MASP in that transaction. Because of this we are forced to push actions for these addresses too: at the moment both the |
brentstone
force-pushed
the
grarco/outsource-masp-sig-verification
branch
from
c9cc4e1
to
cf9942a
Compare
There was a problem hiding this comment.
The latest additions would work. But I wonder if there isn't a way to achieve outsourcing without having to augment Transfer with a vector of VP addresses... Might it be possible to collect the VP Addresses from the Authorization sections of the Tx and insert those into the verifier list instead of embedding them in the Transfer structure? Or would this be too constraining/hacky? After all the user and implicit VPs look for the signatures in these sections...
Let me work on a separate PR to fix the MASP VP so that addresses unrelated to the MASP |
Attempted to fix this here: #3516 |
I tend to think it would be slightly hacky and I'm not sure we can derive the address from an authorization section in case of a multisig account, or can we? |
Fair enough agreed, probably attempting this is more trouble than it's worth. On a separate note, I suspect that 65d07fb (i.e. with all the debited accounts as authorizers but without |
grarco
force-pushed
the
grarco/outsource-masp-sig-verification
branch
from
cf9942a
to
dab10a6
Compare
|
Hey @murisi, I've pushed some last updates:
|
| } | ||
| } | ||
|
|
||
| let mut actions_authorizers: HashSet<&Address> = actions |
There was a problem hiding this comment.
Actions are actually a vector of Action, so it's possible to push the same action more than once. I believe from the perspective of the masp vp this is of no importance: we just want to check that the action for a specific authorizer has been written, it doesn't matter if it's duplicated
| ); | ||
| let masp_authorizers: Vec<_> = debited_accounts | ||
| .into_iter() | ||
| .filter(|account| { |
There was a problem hiding this comment.
Nice reduction of the set of authorizers. This works because of the relaxation of the VP in #3516...
| vin_addresses.contains(&addr_taddr(account.clone())) | ||
| }) | ||
| .collect(); | ||
| if masp_authorizers.len() != vin_addresses.len() { |
There was a problem hiding this comment.
I guess this logic would only work for Transactions that do not trigger
namadac cannot generate these, and transactions like these can probably be expressed more simply in a way that does not trigger the aforementioned code anyway.
There was a problem hiding this comment.
Correct, this is a current limitation of the transfer transaction, but as you are saying we don't support these kind of transactions in the client at the moment
| ) | ||
| .into(); | ||
| tracing::debug!("{error}"); | ||
| return Err(error); | ||
| } | ||
| } | ||
| // The transaction shall not push masp authorizer actions that are not | ||
| // needed cause this might lead vps to run a wrong validation logic | ||
| if !actions_authorizers.is_empty() { |
There was a problem hiding this comment.
The transaction shall not push masp authorizer actions that are not needed
This is fine, though it means that transactions need to precisely compute/maintain the required set of authorizers even when the logic at
is triggered. Theoretically this set might also contain addresses that are not in theTransaction transparent inputs and hence may be inconvenient to compute and push in transactions.
There was a problem hiding this comment.
That's correct, there's some burden on the transaction side to match the set of verifiers. But eventually the transaction has to either match the set of authorizers required by the vps exactly or match a superset of it (in case we wanted to relax this condition). The only thing I can think of to ease the computation on the transaction side would be to push actions for all the involved parties (which need to be computed anyway since, as you are saying, they might not be limited to the transparent inputs). This would lead to an increase in gas cost given by the extra (unneeded) signatures attached to the transaction and by the cost of their verification: at the end this might outweigh the added gas cost for the logic to be placed in the transfer transaction. Another issue is that collecting some of these signatures could be complicated and make the ux more unpleasant
| ) | ||
| .into(); | ||
| tracing::debug!("{error}"); | ||
| return Err(error); | ||
| } | ||
| } | ||
| // The transaction shall not push masp authorizer actions that are not | ||
| // needed cause this might lead vps to run a wrong validation logic | ||
| if !actions_authorizers.is_empty() { |
There was a problem hiding this comment.
this might lead vps to run a wrong validation logic
I'd assumed that redundant MASP authorizer actions only imply signature checks for redundant signatures. In a correctly implemented VP, is this not necessarily the case?
There was a problem hiding this comment.
For our VPs, that's correct, we'd just recheck the signature (which actually doesn't even happen because of the Gadget that caches the result of the signature check and ensures that we run that verification at most once). I'm not sure this holds for incorrectly VPs though: I believe the worst that could happen was the rejection of a valid transaction but not the acceptance of an invalid one. But some really broken VPs could actually end up accepting invalid transactions because of masp actions. So my reasoning here was to be very conservative, also because there's really no reason why someone should push a masp action which isn't required
* grarco/outsource-masp-sig-verification: Transfer transaction fails if masp transparent inputs are not debited Changelog #3312 Masp vp checks that no unneeded actions are pushed Transfer transaction pushes masp actions Renames masp signers to authorizers Refactors masp action checks Masp vp checks for signer actions Moves signatures verification from masp vp to the affected vps
Describe your changes
Closes #3312.
Swaps the signature verification call in the masp vp with a check on the triggered vps. Introduces a new masp
Actionto support signature verification in the affected vps since we expect them to not be triggered by the transaction itself (no changed keys).Indicate on which release or other PRs this topic is based on
#3516 (diffs for review: https://github.com/anoma/namada/pull/3372/files/17b9fcfa9c85f5a115646120f6595e8cf28c38a7..fc63450e3dfc2882c467d96a2600d761fb40853b)
Checklist before merging to
draft