Replay attacks of proof-authorised account updates across multiple networks

[MartinOndejka]

In the zkapp MIP, the replay attacks measures mostly revolve around correct nonce. Currently to prevent replaying of signed commands from berkeley to mainnet, there is a custom salt for hashing, which will create unique signature for any network. This will work also for signature-authorised account updates because of the unique signature, but what about the proof-authorised account updates? The nonce precondition can be bypassed easily. Does the use_full_commitment play role in the proof in some way so the fee payer hash (with network salt) is included? If not is there some another plan to prevent replaying of berkeley account updates on mainnet after hardfork?

[mitschabaude]

The nonce precondition can be bypassed easily.

How? Can you elaborate on that?

[mitschabaude]

Oh I think you mean it doesn't prevent replay across networks, right?

[MartinOndejka]

Yeah, for example replaying berkeley account updates on mainnet (or maybe some new network). Afaik the hash salt is in place to prevent from replaying payments that way.

[mrmr1993]

Does the use_full_commitment play role in the proof in some way so the fee payer hash (with network salt) is included?

No.

If not is there some another plan to prevent replaying of berkeley account updates on mainnet after hardfork?

No. The easiest way would be to add domain separation for the account update hash prefix, which would be exactly analogous to what we do for signatures

[MartinOndejka]

The easiest way would be to add domain separation for the account update hash prefix

Thanks, that sounds like a good idea. Just to get the better understanding, how is account update hash being used?

[mitschabaude]

The account update hash is the public input to the proof! So proofs wouldn't verify on a different network