From ff4ef2977831cb0f3b30fa401dc2c76ec63a856e Mon Sep 17 00:00:00 2001 From: Iris Date: Mon, 4 Mar 2024 17:55:49 +0100 Subject: [PATCH] fix: do not include user addr in sig verification --- scripts/generate_sig.py | 2 +- src/naming/main.cairo | 38 ++++++++++++---------- src/tests/naming/test_altcoin.cairo | 49 +++++++++++++++-------------- 3 files changed, 48 insertions(+), 41 deletions(-) diff --git a/scripts/generate_sig.py b/scripts/generate_sig.py index 9cd691d..6c84fea 100644 --- a/scripts/generate_sig.py +++ b/scripts/generate_sig.py @@ -11,7 +11,7 @@ quote = 1221805004292776 max_validity = 1000 encoded_string = 724720344857006587549020016926517802128122613457935427138661 -data = pedersen_hash(pedersen_hash(pedersen_hash(pedersen_hash(user_addr, erc20_addr), quote), max_validity), encoded_string) +data = pedersen_hash(pedersen_hash(pedersen_hash(erc20_addr, quote), max_validity), encoded_string) (x, y) = sign(data, priv_key) print("sig:", hex(x), hex(y)) \ No newline at end of file diff --git a/src/naming/main.cairo b/src/naming/main.cairo index 8030bb0..92a3c04 100644 --- a/src/naming/main.cairo +++ b/src/naming/main.cairo @@ -299,18 +299,15 @@ mod Naming { // verify signature let altcoin: felt252 = altcoin_addr.into(); - let quote_felt : felt252 = quote.into(); + let quote_felt: felt252 = quote.into(); let message_hash = LegacyHash::hash( - LegacyHash::hash( - LegacyHash::hash( - LegacyHash::hash(get_caller_address().into(), altcoin), quote_felt - ), - max_validity - ), + LegacyHash::hash(LegacyHash::hash(altcoin, quote_felt), max_validity), 'starknet id altcoin quote' ); let (sig0, sig1) = sig; - let is_valid = check_ecdsa_signature(message_hash, self._server_pub_key.read(), sig0, sig1); + let is_valid = check_ecdsa_signature( + message_hash, self._server_pub_key.read(), sig0, sig1 + ); assert(is_valid, 'Invalid signature'); // find domain cost in ETH @@ -398,18 +395,15 @@ mod Naming { assert(get_block_timestamp() <= max_validity, 'quotation expired'); // verify signature let altcoin: felt252 = altcoin_addr.into(); - let quote_felt : felt252 = quote.into(); + let quote_felt: felt252 = quote.into(); let message_hash = LegacyHash::hash( - LegacyHash::hash( - LegacyHash::hash( - LegacyHash::hash(get_caller_address().into(), altcoin), quote_felt - ), - max_validity - ), + LegacyHash::hash(LegacyHash::hash(altcoin, quote_felt), max_validity), 'starknet id altcoin quote' ); let (sig0, sig1) = sig; - let is_valid = check_ecdsa_signature(message_hash, self._server_pub_key.read(), sig0, sig1); + let is_valid = check_ecdsa_signature( + message_hash, self._server_pub_key.read(), sig0, sig1 + ); assert(is_valid, 'Invalid signature'); // we need a u256 to be able to perform safe divisions @@ -421,7 +415,17 @@ mod Naming { .compute_renew_price(domain_len, days); // compute domain cost in altcoin let price_in_altcoin = self.get_altcoin_price(quote, price_in_eth.try_into().unwrap()); - self.pay_domain(domain_len, altcoin_addr, price_in_altcoin, now, days, domain, sponsor, discount_id); + self + .pay_domain( + domain_len, + altcoin_addr, + price_in_altcoin, + now, + days, + domain, + sponsor, + discount_id + ); self.emit(Event::SaleMetadata(SaleMetadata { domain, metadata })); // find new domain expiry let new_expiry = if domain_data.expiry <= now { diff --git a/src/tests/naming/test_altcoin.cairo b/src/tests/naming/test_altcoin.cairo index 16d9274..7a35d60 100644 --- a/src/tests/naming/test_altcoin.cairo +++ b/src/tests/naming/test_altcoin.cairo @@ -73,8 +73,8 @@ fn test_buy_domain_with_strk() { // we buy with no resolver, no sponsor, no discount and empty metadata let max_validity = 1000; let sig = ( - 0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632, - 0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31 + 0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1, + 0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a ); naming .altcoin_buy( @@ -130,8 +130,8 @@ fn test_buy_domain_altcoin_quote_expired() { // we buy with no resolver, no sponsor, no discount and empty metadata let max_validity = 1000; let sig = ( - 0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632, - 0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31 + 0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1, + 0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a ); // we try buying after the max_validity timestamp @@ -184,8 +184,8 @@ fn test_buy_domain_altcoin_wrong_quote() { // we buy with no resolver, no sponsor, no discount and empty metadata let max_validity = 1000; let sig = ( - 0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632, - 0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31 + 0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1, + 0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a ); // we try buying with a quote lower than the actual price naming @@ -234,8 +234,8 @@ fn test_renew_domain_with_strk() { // we buy with no resolver, no sponsor, no discount and empty metadata let max_validity = 1000; let sig = ( - 0x2460d27e5d5f25e2b6450a57853d634f812484e9d7c541adcbd04d9a22f3632, - 0x7f8723da0253c58ebccc036b5060f4538ed4301f40d66f4aa0ba3932adb9b31 + 0x2d46882b7601332cab0b45a44c5da71d7cb8698d2aaa3eee1c777430047b4b1, + 0x2eaebd6d46827e5bb1fd5c1a96c85f5dfbf3b77df03627545594e695867348a ); naming .altcoin_buy( @@ -269,22 +269,25 @@ fn test_renew_domain_with_strk() { // we renew with no sponsor, no discount and empty metadata let max_validity = 1000; let sig = ( - 0x35ca6ee2dadda50edb4fe0f50aa2aae356a4d695e1e34dfbecb366a44cb5495, - 0x65d27e9121fc9712781b5a815461049a380ad87aac051f174c5c482195dcb90 - ); - naming.altcoin_renew( - th0rgal, - 365, - ContractAddressZeroable::zero(), - 0, - 0, - strk.contract_address, - quote, - max_validity, - sig + 0x42768490cdba55ef41ac540caab9a9ec4133b5d1f42289d2c32f5c1efc07f65, + 0x15d56a36d5fa94dc183ef32f4f9bc3d7f0d4b68b8b07a4541cad11a8c9cf7f6 ); + naming + .altcoin_renew( + th0rgal, + 365, + ContractAddressZeroable::zero(), + 0, + 0, + strk.contract_address, + quote, + max_validity, + sig + ); assert(strk.allowance(caller, naming.contract_address) == 0, 'allowance not reset'); - assert(naming.domain_to_data(array![th0rgal].span()).expiry == 2 * 365 * 86400, 'invalid renew expiry'); + assert( + naming.domain_to_data(array![th0rgal].span()).expiry == 2 * 365 * 86400, + 'invalid renew expiry' + ); } -