multisig: add post-kex verification round #8220
Conversation
UkoeHB
force-pushed
the
multisig_conf_round
branch
from
f4d63d3 to
e0b762c
Compare
| @@ -113,7 +127,7 @@ namespace multisig | |||
| bool multisig_account::multisig_is_ready() const | |||
| { | |||
| if (main_kex_rounds_done()) | |||
| return m_kex_rounds_complete == multisig_kex_rounds_required(m_signers.size(), m_threshold) + 1; | |||
| return m_kex_rounds_complete >= multisig_kex_rounds_required(m_signers.size(), m_threshold) + 1; | |||
There was a problem hiding this comment.
Slightly more robust in case of errors elsewhere.
| std::sort(signers.begin(), signers.end()); | ||
|
|
||
| // signers should all be unique | ||
| CHECK_AND_ASSERT_THROW_MES(std::adjacent_find(signers.begin(), signers.end()) == signers.end(), | ||
| "multisig account: tried to set signers, but there are duplicate signers unexpectedly."); |
UkoeHB
force-pushed
the
multisig_conf_round
branch
from
6fad16e to
fbdd39d
Compare
|
I updated the multisig account implementation to always emit the post-kex verification msg once an account is complete. This way the msg is always available if needed. Previously, a lot of tests were using 'empty kex msg emitted' as a proxy for 'multisig account is ready'. Now you need to query if 'multisig is ready' directly (this is more intuitive and robust anyway). That change probably breaks the MMS @rbrunner7 . Following the multisig kex protocol isn't sufficient by itself to robustly set up multisig accounts. No matter how many rounds you add, a malicious player can always selectively send their final message to only some other players. To get around that blocking vector, we need a solution in the messaging layer. There are a few options.
Note: I decided not to implement message caching in the wallet file because it is more appropriate for the message handling layer to take responsibility for handling messages (caching, transmitting, etc.). Also, this way you don't pay for what you don't use, if you don't need wallet-side caching. |
|
As you predicted this needed some more small changes in I ran my usual tests with your code plus my changes, using the MMS, for 2/2, 2/3 and 3/5 multisig. Everything - building wallets, receiving a tx, sending a tx - worked flawlessly. Of course with an almost fully automatic system like the MMS you hardly notice the additional data exchange round. |
I confess I don't fully understand everything you explain and propose here as options. But I brainstormed a little nevertheless how supporting such options could look in the MMS, and how much effort would be needed to implement. I came up with an estimate of a few working days. It's not too hard, but not trivial either. It will probably need a handful of new commands, new logic within the With the low usage that the MMS sees and the corresponding low importance for the Monero ecosystem as a whole I don't see me implementing anything here in the near future, frankly. |
There was a problem hiding this comment.
For this PR it's the same as with the previous multisig-related one: I can't review the code, so this is not a proper code approval, but I did carefully test the code with 2/2, 2/3 and 3/5 multisig and can confirm that everything fully worked.
I think together with @moneromooo-monero 's look at the code from a technical point of view this should give something like a full review ...
|
@rbrunner7 thank you! |
|
@rbrunner7 for MMS documentation, you could recommend that users manually verify with each other that their accounts are complete before sending any money to the multisig address. It's not automated like the other solutions, but would still work. (edit: doing that would be the manual version of method 3) |
|
Update: the post-kex verification round must also check that all players have the same common pubkey (which is used as the view key by wallets). |
UkoeHB
force-pushed
the
multisig_conf_round
branch
from
18aece4 to
d844b00
Compare
…nts have completed the multisig address
UkoeHB
force-pushed
the
multisig_conf_round
branch
from
d844b00 to
0d6ecb1
Compare
|
Squashed |
Problem: When creating a group multisig account, each step of key exchange relies on messages from all other participants. If a malicious player only sends their final message to one honest player, but not others, then the other honest players will be stuck without completed accounts. If that one honest player receives funds to the address he created, then those funds will either be unspendable or only spendable with cooperation from malicious group members.
Solution: Add a round to multisig account creation to verify that all other participants have completed their accounts.
This PR also has some semantic and control-flow cleanup of the multisig kex implementation (I am not satisfied with the readability of my earlier work - cleanup will continue in PR #8203 and alongside the Seraphis library which adds support for aggregation-style multisig signing).
TODO (done: #8582): I will add an
unsafe_update_use_with_careflag to themultisig_account::initialize_kex()andmultisig_account::kex_update()methods. This flag will allow users to fast-forward through the extra round added by this PR, and under some conditions even do so safely (without needing to trust other participants).