fix: do not include user addr in sig verification

lfglabs-dev · Mar 4, 2024 · ff4ef29 · ff4ef29
1 parent 6b2206d
commit ff4ef29
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 41 deletions.
diff --git a/scripts/generate_sig.py b/scripts/generate_sig.py
@@ -11,7 +11,7 @@
 quote = 1221805004292776
 max_validity = 1000
 encoded_string = 724720344857006587549020016926517802128122613457935427138661
-data = pedersen_hash(pedersen_hash(pedersen_hash(pedersen_hash(user_addr, erc20_addr), quote), max_validity), encoded_string)
+data = pedersen_hash(pedersen_hash(pedersen_hash(erc20_addr, quote), max_validity), encoded_string)
 
 (x, y) = sign(data, priv_key)
 print("sig:", hex(x), hex(y))
diff --git a/src/naming/main.cairo b/src/naming/main.cairo
@@ -299,18 +299,15 @@ mod Naming {
 
             // verify signature
             let altcoin: felt252 = altcoin_addr.into();
-            let quote_felt : felt252 = quote.into();
+            let quote_felt: felt252 = quote.into();
             let message_hash = LegacyHash::hash(
-                LegacyHash::hash(
-                    LegacyHash::hash(
-                        LegacyHash::hash(get_caller_address().into(), altcoin), quote_felt
-                    ),
-                    max_validity
-                ),
+                LegacyHash::hash(LegacyHash::hash(altcoin, quote_felt), max_validity),
                 'starknet id altcoin quote'
             );
             let (sig0, sig1) = sig;
-            let is_valid = check_ecdsa_signature(message_hash, self._server_pub_key.read(), sig0, sig1);
+            let is_valid = check_ecdsa_signature(
+                message_hash, self._server_pub_key.read(), sig0, sig1
+            );
             assert(is_valid, 'Invalid signature');
 
             // find domain cost in ETH
@@ -398,18 +395,15 @@ mod Naming {
             assert(get_block_timestamp() <= max_validity, 'quotation expired');
             // verify signature
             let altcoin: felt252 = altcoin_addr.into();
-            let quote_felt : felt252 = quote.into();
+            let quote_felt: felt252 = quote.into();
             let message_hash = LegacyHash::hash(
-                LegacyHash::hash(
-                    LegacyHash::hash(
-                        LegacyHash::hash(get_caller_address().into(), altcoin), quote_felt
-                    ),
-                    max_validity
-                ),
+                LegacyHash::hash(LegacyHash::hash(altcoin, quote_felt), max_validity),
                 'starknet id altcoin quote'
             );
             let (sig0, sig1) = sig;
-            let is_valid = check_ecdsa_signature(message_hash, self._server_pub_key.read(), sig0, sig1);
+            let is_valid = check_ecdsa_signature(
+                message_hash, self._server_pub_key.read(), sig0, sig1
+            );
             assert(is_valid, 'Invalid signature');
 
             // we need a u256 to be able to perform safe divisions
@@ -421,7 +415,17 @@ mod Naming {
                 .compute_renew_price(domain_len, days);
             // compute domain cost in altcoin
             let price_in_altcoin = self.get_altcoin_price(quote, price_in_eth.try_into().unwrap());
-            self.pay_domain(domain_len, altcoin_addr, price_in_altcoin, now, days, domain, sponsor, discount_id);
+            self
+                .pay_domain(
+                    domain_len,
+                    altcoin_addr,
+                    price_in_altcoin,
+                    now,
+                    days,
+                    domain,
+                    sponsor,
+                    discount_id
+                );
             self.emit(Event::SaleMetadata(SaleMetadata { domain, metadata }));
             // find new domain expiry
             let new_expiry = if domain_data.expiry <= now {

diff --git a/src/tests/naming/test_altcoin.cairo b/src/tests/naming/test_altcoin.cairo
@@ -73,8 +73,8 @@ fn test_buy_domain_with_strk() {
     // we buy with no resolver, no sponsor, no discount and empty metadata
     let max_validity = 1000;
     let sig = (
-        0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632,
-        0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31
+        0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1,
+        0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a
     );
     naming
         .altcoin_buy(
@@ -130,8 +130,8 @@ fn test_buy_domain_altcoin_quote_expired() {
     // we buy with no resolver, no sponsor, no discount and empty metadata
     let max_validity = 1000;
     let sig = (
-        0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632,
-        0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31
+        0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1,
+        0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a
     );
 
     // we try buying after the max_validity timestamp
@@ -184,8 +184,8 @@ fn test_buy_domain_altcoin_wrong_quote() {
     // we buy with no resolver, no sponsor, no discount and empty metadata
     let max_validity = 1000;
     let sig = (
-        0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632,
-        0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31
+        0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1,
+        0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a
     );
     // we try buying with a quote lower than the actual price
     naming
@@ -234,8 +234,8 @@ fn test_renew_domain_with_strk() {
     // we buy with no resolver, no sponsor, no discount and empty metadata
     let max_validity = 1000;
     let sig = (
-        0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632,
-        0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31
+        0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1,
+        0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a
     );
     naming
         .altcoin_buy(
@@ -269,22 +269,25 @@ fn test_renew_domain_with_strk() {
     // we renew with no sponsor, no discount and empty metadata
     let max_validity = 1000;
     let sig = (
-        0x35ca6ee2dadda50edb4fe0f50aa2aae356a4d695e1e34dfbecb366a44cb5495,
-        0x65d27e9121fc9712781b5a815461049a380ad87aac051f174c5c482195dcb90
-    );
-    naming.altcoin_renew(
-        th0rgal, 
-        365, 
-        ContractAddressZeroable::zero(), 
-        0, 
-        0, 
-        strk.contract_address,
-        quote,
-        max_validity,
-        sig
+        0x42768490cdba55ef41ac540caab9a9ec4133b5d1f42289d2c32f5c1efc07f65,
+        0x15d56a36d5fa94dc183ef32f4f9bc3d7f0d4b68b8b07a4541cad11a8c9cf7f6
     );
+    naming
+        .altcoin_renew(
+            th0rgal,
+            365,
+            ContractAddressZeroable::zero(),
+            0,
+            0,
+            strk.contract_address,
+            quote,
+            max_validity,
+            sig
+        );
     assert(strk.allowance(caller, naming.contract_address) == 0, 'allowance not reset');
-    assert(naming.domain_to_data(array![th0rgal].span()).expiry == 2 * 365 * 86400, 'invalid renew expiry');
+    assert(
+        naming.domain_to_data(array![th0rgal].span()).expiry == 2 * 365 * 86400,
+        'invalid renew expiry'
+    );
 }
 
-