This replace was written and offered by Litecoin MimbleWimble lead developer David Burkett.
——–
Safety Vulnerability
As shared on Twitter yesterday:
Kurt, a long-time GRIN neighborhood member, contacted Charlie and I to tell us of a vulnerability within the design for non-interactive transactions. Whereas the assault is troublesome to carry out in apply, it does enable for theft of funds if the situations line up excellent.
This assault is somewhat technical, and obscure with out first studying the entire crypto behind MWEB. Very informally, it really works like this:
- Alice sends 2 cash to Bob:
- coin 1 = 10 LTC
- coin 2 = 20 LTC
- Bob creates 2 transactions, 1 to Charlie, and one other again to Alice, and sends them at roughly the identical time:
- tx1 = spend coin 1 to ship 8 LTCs to Alice (8 LTC Alice, 2 LTC Change)
- tx2 = spend coin 2 to ship 15 LTCs to Charlie (15 LTC Charlie, 5 LTC Change)
- Alice modifications tx1 to spend coin 2 as an alternative, protecting the extra 10 LTCs for herself:
- tx3 = spend coin 2 to ship 18 LTCs to Alice and a pair of LTC again to Bob as Change
- tx1 & tx2 dropped and changed with tx3
There are a variety of explanation why this assault would fail in apply practically each time. However the penalties if it did succeed can be very severe, so it was apparent this was one thing we needed to stop.
We’re very grateful for Kurt taking the time to check MWEB’s design, and for reaching out to share this assault with us. As a result of significance of the discovering, Charlie generously donated his personal cash to pay Kurt a well-deserved 0.15 BTC bounty.
The Repair
Contemplating the proximity to the deliberate launch date, panic began to set in. Fortuitously, I spotted there’s a comparatively simple repair for the assault that consists of introducing a brand new public key in every enter that forestalls reuse of enter signatures.
On the identical time we had been working by the main points of the assault & fixes, I used to be put involved with some top-notch cryptographers who supplied to do a safety audit of our design, which they had been contemplating to make use of as a place to begin for an additional undertaking they had been engaged on.
The necessity for a extra formally documented design turned evident, so I spent the following few weeks rewriting LIP-0004 right into a extra full and formally specified design, making minor tweaks alongside the way in which to harden it the place I may. Clearly, I ought to’ve finished this from the start, as a result of we’ve had practically as many reviewers of LIP-0004 on this previous month as we have now for the earlier 1.5 years
