Skip to content

fix: improve receipt deduplication with signature normalization #291

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 8, 2025
Merged

fix: improve receipt deduplication with signature normalization #291

merged 3 commits into from
May 8, 2025

Conversation

@suchapalaver
Copy link
Contributor

@suchapalaver suchapalaver commented May 7, 2025
edited
Loading

Description

This PR improves the security of receipt deduplication by making it resistant to signature malleability attacks. The implementation now identifies receipts based on their message content and recovered signer, rather than just raw signature bytes.

Changes

  • Replaced unique_hash method to Eip712SignedMessage that combines message content and signer address
  • Updated check_signatures_unique to use this malleation-resistant approach
  • Added test case demonstrating the signature malleability issue and verifying the fix

@suchapalaver suchapalaver force-pushed the suchapalaver/improve-receipt-deduplication-with-signature-normalization branch from 1b5def8 to 87ceff7 Compare May 7, 2025 17:13
@coveralls
Copy link

coveralls commented May 7, 2025
edited
Loading

Pull Request Test Coverage Report for Build 14889332084

Details

  • 59 of 59 (100.0%) changed or added relevant lines in 6 files are covered.
  • 3 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+0.05%) to 76.06%
Files with Coverage Reduction New Missed Lines %
tap_eip712_message/src/lib.rs 3 90.32%
Totals Coverage Status
Change from base Build 14846412522: 0.05%
Covered Lines: 1328
Relevant Lines: 1746
💛 - Coveralls

@suchapalaver suchapalaver force-pushed the suchapalaver/improve-receipt-deduplication-with-signature-normalization branch from 87ceff7 to cc8e00f Compare May 7, 2025 17:17
TypeLevelConsoli
TypeLevelConsoli approved these changes May 7, 2025
View reviewed changes
Copy link

@TypeLevelConsoli TypeLevelConsoli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great, thanks

tap_aggregator/src/aggregator/v1.rs

#[rstest]
#[test]
fn test_signature_malleability_vulnerability(
Copy link

@TypeLevelConsoli TypeLevelConsoli May 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I really appreciate the comments in this test case! Great work!

@suchapalaver suchapalaver merged commit 2f06fc7 into main May 8, 2025
8 checks passed
@suchapalaver suchapalaver mentioned this pull request May 9, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TypeLevelConsoli TypeLevelConsoli TypeLevelConsoli approved these changes

@neithanmo neithanmo Awaiting requested review from neithanmo neithanmo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@suchapalaver @coveralls @TypeLevelConsoli