You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As it currently stands, the standard signing procedure is byte(0x19), byte(0), this, nonce[identityOwner(identity)], identity + other data to be signed. Due to all of the registries being deployed at the same contract address, this allows for a signed transaction to be replayed on a different network. The downsides of this are small, but could still be quite annoying/negative for a user.
For example, if I were to have changed my owner on my 50th transaction on Rinkeby, an attacker could wait until my mainnet identity owner at the same address had 49 transactions and could then replay the transaction to force me to swap owners. If I had lost ownership of the new address this could render my identity unusable.
I understand the cases where this can come into play are pretty niche, but I would like to propose an update to the signing methods to byte(0x19), byte(0), this, NETWORK_ID, nonce[identityOwner(identity)], identity + other data to be signed. Under this signing logic, the NEWTORK_ID would be hard coded into each deployed smart contract as 1 (Mainnet), 3 (Ropsten), 4 (Rinkeby) and 42 (Kovan).
The text was updated successfully, but these errors were encountered:
As it currently stands, the standard signing procedure is
byte(0x19), byte(0), this, nonce[identityOwner(identity)], identity + other data to be signed. Due to all of the registries being deployed at the same contract address, this allows for a signed transaction to be replayed on a different network. The downsides of this are small, but could still be quite annoying/negative for a user.For example, if I were to have changed my owner on my 50th transaction on Rinkeby, an attacker could wait until my mainnet identity owner at the same address had 49 transactions and could then replay the transaction to force me to swap owners. If I had lost ownership of the new address this could render my identity unusable.
I understand the cases where this can come into play are pretty niche, but I would like to propose an update to the signing methods to
byte(0x19), byte(0), this, NETWORK_ID, nonce[identityOwner(identity)], identity + other data to be signed. Under this signing logic, the NEWTORK_ID would be hard coded into each deployed smart contract as 1 (Mainnet), 3 (Ropsten), 4 (Rinkeby) and 42 (Kovan).The text was updated successfully, but these errors were encountered: