Skip to content
This repository has been archived by the owner on Apr 15, 2020. It is now read-only.

Metatransactions have replay potential #71

Closed
jessicagmarshall opened this issue Nov 15, 2017 · 0 comments
Closed

Metatransactions have replay potential #71

jessicagmarshall opened this issue Nov 15, 2017 · 0 comments

Comments

@jessicagmarshall
Copy link

uport-identity/contracts/TxRelay.sol

Line 29 in 880f8b8

// relay :: nonce :: destination :: data :: relayer

The keys that sign metatransactions are intended to be used for raw Ethereum transactions as well, especially when bypassing the relay altogether and sending transactions directly. Signed data can be rebroadcast as raw Ethereum transactions if the plaintext is formatted similarly. This should not be possible given the current metatransaction payload since the payload size differs from a raw transaction, but the safest option is to prefix the payload with data that will never be part of a valid transaction.

Recommendation

Consider using EIP 191 signed messages for metatransactions to guarantee protection from replaying as raw transactions.
oed added a commit that referenced this issue Nov 16, 2017
@oed
Use EIP 191. fix #71
baaf442
@oed oed mentioned this issue Nov 16, 2017
Merged
@oed oed closed this as completed in 1557d1d Dec 8, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jessicagmarshall