fix merkle verify vulnerability #11
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current merkle verification can be cheated when there is not-power-of-2 number of leaves on the merkle tree. The attack allows for using a different index than the original.
This is due to the duplication effect the Bitcoin merkle tree has.
For this tree, the parent of e and f is duplicated to calculate its parent when the merkle tree is built.
This allows for an attacker to use index 6 instead of 4. If an application depending on BTCUtils needs to compare ordering of bitcoin txs and only trust the SPV proof, this is problematic.
The proposed fix is to compare with the left child whenever current hash is the right child.
In the test vectors I added an example that has the same exact proof but uses index 2 and 3 for the same leaf. The output was true for both cases before the change in the Solidity code. I can add more tests if needed.