Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multisig validation before approval #86

Open
abourget opened this issue Sep 20, 2018 · 1 comment
Open

Multisig validation before approval #86

abourget opened this issue Sep 20, 2018 · 1 comment
Labels
enhancement New feature or request security
Milestone
v1.1.0

Comments

@abourget
Copy link
Contributor

There is a risk that between the moment you review a multisig transaction, it is changed under the hood and you approve the wrong thing.

Ideally, multisig review prints a transaction ID, and you approve of a transaction ID, that you check before and after approval. Pass a --verify-id hash or something...
@abourget abourget added enhancement New feature or request security labels Sep 20, 2018
@abourget abourget added this to the v1.1.0-TechPreview milestone Sep 20, 2018
@fproulx-dfuse
Copy link
Contributor

There is still a race condition. We can do get table on eosio.msig right before the approve, hash the packed TX and right after as you said you approve we check again and can immediately cancel if there's a mismatch.....

It's not bulletproof (ideally the approve msig would have that built-in, maybe we optional param so it's backward compat). but ok mitigation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security
Projects
None yet
Milestone
v1.1.0
Development

No branches or pull requests
2 participants
@abourget @fproulx-dfuse